Chain Privacy Policy

This Privacy Policy describes the policies and procedures of Chain (“we”, “our” or “us”) on the collection, use and disclosure of your information on https://chain.com (the “Site”) and the services, features, content or applications we offer (collectively with the Site, the “Services”). We receive information about you from various sources, including: (i) your use of the Services generally; and (ii) from third party websites and services. When you use the Services, you are consenting to the collection, transfer, manipulation, storage, disclosure and other uses of your information as described in this Privacy Policy.

What Does This Privacy Policy Cover?

This Privacy Policy covers the treatment of personally identifiable information (“Personal Information”) gathered when you are using or accessing the Services. This Privacy Policy also covers our treatment of any Personal Information that our business partners share with us or that we share with our business partners.

This Privacy Policy does not apply to the practices of third parties that we do not own or control, including but not limited to any third party websites, services and applications (“Third Party Services”) that you elect to access through the Service or to individuals that we do not manage or employ. While we attempt to facilitate access only to those Third Party Services that share our respect for your privacy, we cannot take responsibility for the content or privacy policies of those Third Party Services. We encourage you to carefully review the privacy policies of any Third Party Services you access.

What Information Do We Collect?

The information we gather enables us to personalize, improve and continue to operate the Services. In connection with certain aspects of the Services, we may request, collect and/or display some of your Personal Information. We collect the following types of information from our users.

Personal Information:

When you use the Services, you may provide information that could be Personal Information, such as your email address. You acknowledge that this information may be personal to you, and you allow others, including us, to identify you and therefore may not be anonymous. We may use your contact information to send you information about our Services, but only rarely when we feel such information is important. You may unsubscribe from these messages by emailing us at [email protected] although we, regardless, reserve the right to contact you when we believe it is necessary.

User Content:

Some features of the Services allow you to provide content to the Services, such as written comments. All content submitted by you to the Services may be retained by us indefinitely, even after you terminate your use of the Services. We may continue to disclose such content to third parties in a manner that does not reveal Personal Information, as described in this Privacy Policy.

IP Address Information and Other Information Collected Automatically:

We automatically receive and record information from your web browser when you interact with the Services, including your IP address and cookie information. This information is used for fighting spam/malware and also to facilitate collection of data concerning your interaction with the Services (e.g., what links you have clicked on).

Generally, the Services automatically collect usage information, such as the number and frequency of visitors to the Site. We may use this data in aggregate form, that is, as a statistical measure, but not in a manner that would identify you personally. This type of aggregate data enables us and third parties authorized by us to figure out how often individuals use parts of the Services so that we can analyze and improve them.

We may collect some device-specific information if you access the Services using a mobile device. Device information may include but is not limited to unique device identifiers, network information, and hardware model, as well as information about how the device interacts with our Services.

Email Communications:

We may receive a confirmation when you open an email from us. We use this confirmation to improve our customer service.

Information Collected Using Cookies:

Cookies are pieces of text that may be provided to your computer through your web browser when you access a website. Your browser stores cookies in a manner associated with each website you visit. We use cookies to enable our servers to recognize your web browser and tell us how and when you visit the Site and otherwise use the Services through the Internet.

Our cookies do not, by themselves, contain Personal Information, and we do not combine the general information collected through cookies with other Personal Information to tell us who you are. As noted, however, we do use cookies to identify that your web browser has accessed aspects of the Services.

Most browsers have an option for turning off the cookie feature, which will prevent your browser from accepting new cookies, as well as (depending on the sophistication of your browser software) allowing you to decide on acceptance of each new cookie in a variety of ways. We strongly recommend that you leave cookies active, because they enable you to take advantage the most attractive features of the Services.

This Privacy Policy covers our use of cookies only and does not cover the use of cookies by third parties. We do not control when or how third parties place cookies on your computer. For example, third party websites to which a link points may set cookies on your computer.

To support and enhance the Services, we may serve advertisements, and also allow third parties advertisements, through the Services. These advertisements are sometimes targeted and served to particular users and may come from third party companies called “ad networks.” Ad networks include third party ad servers, ad agencies, ad technology vendors and research firms.

Advertisements served through the Services may be targeted to users who fit a certain general profile category and may be based on anonymized information inferred from information provided to us by a user, including Personal Information (e.g., gender or age), may be based on the Services usage patterns of particular users, or may be based on your activity on Third Party Services. We do not provide Personal Information to any ad networks for use outside of the Services.

To increase the effectiveness of ad delivery, we may deliver a file (known as a “web beacon”) from an ad network to you through the Services. Web beacons allow ad networks to provide anonymized, aggregated auditing, research and reporting for us and for advertisers. Web beacons also enable ad networks to serve targeted advertisements to you when you visit other websites. Because your web browser must request these advertisements and web beacons from the ad network’s servers, these companies can view, edit or set their own cookies, just as if you had requested a web page from their site.

Aggregate Information:

We collect statistical information about how users, collectively, use the Services (“Aggregate Information”). Some of this information is derived from Personal Information. This statistical information is not Personal Information and cannot be tied back to you or your web browser.

Information Regarding Your Social Networks:

Occasionally, you can use our Services to interact with your accounts on other services, such as Facebook or Twitter. In addition to using your third party account credentials to sign in to the Services, you can access posting and sharing tools on the Services, including a “share” button that allows you to post information to your social networks outside of the Services (“Share”). For example, after making a reservation on the Services, you can Share information about that reservation with your Facebook friends or Twitter followers. Please note that these tools may be operated by Third Party Services.

By using these tools, you acknowledge that some Third Party Account Information may be transmitted into the Services, and that Third Party Account Information transmitted to our Services is covered by this Privacy Policy. Additionally, when you use one of these sharing tools, the Third Party Service that operates the tool may be collecting information about your browser or online activity through its own tracking technologies and subject to its own privacy policy. Lastly, when you use these tools, some of your information from the Services (such as the reservation information you selected to Share) may be shared with the Third Party Service and others. Therefore, we encourage you to read the privacy policies and other policies of the social networks you use in connection with the Services.

How, and With Whom, Is My Information Shared?

The Services are designed to help you share information with others. As a result, some of the information generated through the Services is shared publicly or with third parties.

Public Information About Your Activity on the Services:

Some of your activity on and through the Services is public by default. This may include, but is not limited to, content you have posted publicly on the Site or otherwise through the Services.

Users will not have this association, but information concerning their use of the Services (such as what pages they have visited) may be tracked anonymously through the use of cookies and stored by us.

Please also remember that if you choose to provide Personal Information using certain public features of the Services, then that information is governed by the privacy settings of those particular features and may be publicly available. Individuals reading such information may use or disclose it to other individuals or entities without our control and without your knowledge, and search engines may index that information. We therefore urge you to think carefully about including any specific information you may deem private in content that you create or information that you submit through the Services.

IP Address Information:

While we collect and store IP address information, that information is not made public. We do at times, however, share this information with our partners, service providers and other persons with whom we conduct business, and as otherwise specified in this Privacy Policy.

Information You Elect to Share:

You may access other Third Party Services through the Services, for example by clicking on links to those Third Party Services from within the Site. We are not responsible for the privacy policies and/or practices of these Third Party Services, and you are responsible for reading and understanding those Third Party Services’ privacy policies. This Privacy Policy only governs information collected on the Services.

Aggregate Information:

We share Aggregate Information with our partners, service providers and other persons with whom we conduct business. We share this type of statistical data so that our partners can understand how and how often people use our Services and their services or websites, which facilitates improving both their services and how our Services interface with them. In addition, these third parties may share with us non-private, aggregated or otherwise non Personal Information about you that they have independently developed or acquired.

Email Communications with Us:

As part of the Services, you may occasionally receive email and other communications from us, such as communications relating to your use of the Services. Communications relating to the Services will only be sent for purposes important to the Services, such as password recovery.

Information Shared with Our Agents:

We employ and contract with people and other entities that perform certain tasks on our behalf and who are under our control (our “Agents”). We may need to share Personal Information with our Agents in order to provide products or services to you. Unless we tell you differently, our Agents do not have any right to use Personal Information or other information we share with them beyond what is necessary to assist us. You hereby consent to our sharing of Personal Information with our Agents.

Information Disclosed Pursuant to Business Transfers:

In some cases, we may choose to buy or sell assets. In these types of transactions, user information is typically one of the transferred business assets. Moreover, if we, or substantially all of our assets, were acquired, or if we go out of business or enter bankruptcy, user information would be one of the assets that is transferred or acquired by a third party. You acknowledge that such transfers may occur, and that any acquirer of us or our assets may continue to use your Personal Information as set forth in this policy.

Information Disclosed for Our Protection and the Protection of Others:

We also reserve the right to access, read, preserve, and disclose any information as we reasonably believe is necessary to (i) satisfy any applicable law, regulation, legal process or governmental request, (ii) enforce this Privacy Policy and our Terms of Service, including investigation of potential violations hereof, (iii) detect, prevent, or otherwise address fraud, security or technical issues, (iv) respond to user support requests, or (v) protect our rights, property or safety, our users and the public. This includes exchanging information with other companies and organizations for fraud protection and spam/malware prevention.

Information We Share With Your Consent:

Except as set forth above, you will be notified when your Personal Information may be shared with third parties, and will be able to prevent the sharing of this information.

Is Information About Me Secure?

We seek to protect Personal Information to ensure that it is kept private; however, we cannot guarantee the security of any Personal Information. Unauthorized entry or use, hardware or software failure, and other factors, may compromise the security of user information at any time.

We otherwise store all of our information, including your IP address information, using industry-standard techniques. We do not guarantee or warrant that such techniques will prevent unauthorized access to information about you that we store, Personal Information or otherwise.

What Information of Mine Can I Access?

Users can access and delete cookies through their web browser settings.

California Privacy Rights: Under California Civil Code sections 1798.83-1798.84, California residents are entitled to ask us for a notice identifying the categories of personal customer information which we share with our affiliates and/or third parties for marketing purposes, and providing contact information for such affiliates and/or third parties. If you are a California resident and would like a copy of this notice, please submit an electronic request to [email protected].

What Choices Do I Have Regarding My Information?

You can always opt not to disclose certain information to us, even though it may be needed to take advantage of some of our features.

What Happens When There Are Changes to this Privacy Policy?

We may amend this Privacy Policy from time to time. Use of information we collect now is subject to the Privacy Policy in effect at the time such information is used. If we make changes in the way we collect or use information, we will notify you by posting an announcement on the Services or sending you an email. A user is bound by any changes to the Privacy Policy when he or she uses the Services after such changes have been first posted.

What If I Have Questions or Concerns?

If you have any questions or concerns regarding privacy using the Services, please send us a detailed message to [email protected]. We will make every effort to resolve your concerns.

Effective Date: October 24. 2016

Information Security Policy

COMPANY INFORMATION SECURITY POLICY

Effective: 31 October, 2017

Introduction

Company considers protection of Customer Data a top priority. As further described in this Company Information Security Policy, Company uses commercially reasonable organizational and technical measures designed to prevent unauthorized access, use, alteration or disclosure of Customer Data stored on systems under Company’s control.

  1. Access to Customer Data. Company limits its personnel’s access to Customer Data as follows: Requires unique user access authorization through secure logins and passwords, including multi-factor authentication for Cloud Hosting administrator access and individually-assigned Secure Socket Shell (SSH) keys for external engineer access; Limits the Customer Data available to Company personnel on a “need to know” basis; Restricts access to Company’s production environment by Company personnel on the basis of business need; and Encrypts user security credentials for production access.

  2. Data Encryption. Company provides industry-standard encryption for Customer Data both in flight and at rest as follows: Implements End-to-End Transport Layer Security (TLS) across the platform; Uses strong encryption methodologies to protect Customer Data, such as AES-256 or equivalent encryption for Customer Data stored in Company’s production environment; and Encrypts all Customer Data stored on cloud or electronic portable storage devices such as computer laptops, portable drives and other similar devices while at rest.

  3. Data Management Company creates an audit trail for key verification with each integration, with user-specific integration key generation alert controls. Company logically separates each of its customers’ data and maintains measures designed to prevent Customer Data from being exposed to or accessed by other customers.

  4. Network Security, Physical Security and Environmental Controls Company uses a variety of techniques designed to detect and/or prevent unauthorized access to systems processing Customer Data, including firewalls, network access controls, and architectural compartmentalization. Company maintains measures designed to assess, test and apply security patches to all relevant systems and applications used to provide the Service. Company monitors privileged access to applications that process Customer Data, including cloud services. The Service operates on Amazon Web Services (“AWS”) and is protected by Amazon’s security and environmental controls. Detailed information about AWS security is available at https://aws.amazon.com/security/ and http://aws.amazon.com/security/sharing-the-security-responsibility/. For AWS SOC Reports, please see https://aws.amazon.com/compliance/soc-faqs/. Customer Data stored within AWS is encrypted at all times. AWS does not have access to unencrypted Customer Data at any time.

  5. Independent Security Assessments. Company periodically assesses the security of its systems and the Service as follows: Annual detailed security and vulnerability assessments of the Service conducted by independent third-party security experts that include a thorough code analysis and a comprehensive security audit. Company shall attest to Customer the date of the most recent security and vulnerability assessment at Customer’s reasonable request. Bi-annual penetration testing of Company systems and applications to test for exploits including, but not limited to, XSS, SQL injection, access controls, and CSRF. Monthly vulnerability scanning, including review of any new code added to the Service.

  6. Incident Response. If Company becomes aware of unauthorized access or disclosure of Customer Data under its control (a “Breach”), Company will: Take reasonable measures to mitigate the harmful effects of the Breach and prevent further unauthorized access or disclosure. Upon confirmation of the Breach, notify Customer in writing of the Breach without undue delay. Notwithstanding the foregoing, Company is not required to make such notice to the extent prohibited by Laws, and Company may delay such notice as requested by law enforcement and/or in light of Company’s legitimate needs to investigate or remediate the matter before providing notice. Each notice of a Breach will include: The extent to which Customer Data has been, or is reasonably believed to have been, used, accessed, acquired or disclosed during the Breach; A description of what happened, including the date of the Breach and the date of discovery of the Breach, if known; The scope of the Breach, to the extent known; and A description of Company’s response to the Breach, including steps Company has taken to mitigate the harm caused by the Breach.

  7. Business Continuity Management Company maintains an appropriate business continuity and disaster recovery plan. Company maintains processes to ensure failover redundancy with its systems, networks and data storage.

  8. Personnel Management Company performs employment verification, including proof of identity validation and criminal background checks for all new hires, including contract employees. Company provides training for its personnel who are involved in the processing of the Customer Data to ensure they do not collect, process or use Customer Data without authorization and that they keep Customer Data confidential, including following the termination of any role involving the Customer Data. Upon employee termination, whether voluntary or involuntary, Company immediately disables all access to critical and noncritical systems, including Company’s physical facilities.

  9. Modifications to Policy. From time to time, Company may modify this Information Security Policy and its security procedures, but Company will not materially reduce the overall level of security afforded to Customer Data during the Subscription Term. Company will provide any updates to this Security Policy at Customer’s request.