- What Information We Collect
- Why We Collect That Information
- With Whom and When We Share Our Information
- Our Data Retention Practice
- Our Data Security Measures
- Data Privacy Regulations and Compliance
- Data Breach Procedure
If you have any questions about this policy, please contact us at firstname.lastname@example.org.
If You do not agree with the data practices described in this Policy, you should not use the Service or visit our Websites. We may from time-to-time update, amend or modify the terms of this Policy, and post the updated version to our Websites. If there is a material change to the information we collect, process or your data rights, we will notify you of the amendment or update by email or other direct communication that you’ve opted into or consented to. Your continued use of the Service after any amendment or update to this Policy shall constitute immediate acceptance of all revised, modified and/or amended terms to this Policy. However, you should review the most up-to-date version of the Policy from time-to-time on the Websites.
This Policy constitutes a binding agreement between you and us. By accessing and/or using the Service, either through the Websites or application, you agree to the terms of this Policy.
What Information We Collect
In order to provide the Service, we will need to collect certain Personal Information. “Personal Information” here means any information that may be used to identify an individual or household, including, but not limited to, a first and last name, email address, a home, postal or other physical address, other contact information (including information discoverable via access to your mobile device’s operating system), title, birth date, gender, and other information, including information that you submit to or save within a Website or the Service. We collect Personal Information that you voluntarily provide to us when (1) creating an account to use the Service; (2) when you express an interest in obtaining information about us or our Service or products; and (3) when participating in activities on the Services or otherwise contacting Us.
In order to understand our Users, their preferences and to optimize our Services, we may collect Navigational Information. “Navigational Information” here means information about your computer, device, VPN information, IP address, the date and time of the visit and how long you remained on our Websites, the referral URL (the site from which the visitor has come), the pages visited on our Websites and information about the device and browser (such as, browser type and version and operating system), browser history, and geographical location. We may also collect visitor data through third party services such as Google Analytics. Navigational Information is primarily needed to maintain the security and operation of our Service, and for our internal analytics and reporting purposes.
We may colect User Content through our Websites, although at this time such tools are limited to text, or through communication such as email. “User Content” means content uploaded or submitted by you such as feedback, information, updates, comments, text, images, photographs, videos, notes, sounds, data, posts and suggestions. User Content is collected only when the User expressly provides it to Us.
In order to provide you with the Service, updates, notifications, and features, we will need to collect User Information. “User Information” means information such as name, email address, username, passwords, and payment information (such as credit card information and billing address) that you provide to us in order to create an account and/or use the Website or Services.
Like many websites, ChipDrop may use a standard technology called a "cookie" to collect information about how you use our Website, remember your identity and user information while providing the Service, and understand user traffic patterns and usage of the Service. A cookie is a small data file that certain websites write to your hard drive when you visit them. A cookie file can contain information such as a user ID that the site uses to track the pages you've visited, but the only personal information a cookie can contain is information you supply yourself. A cookie can't read data off your hard disk or read cookie files created by other sites. If you prefer not to receive cookies while browsing our Website content, you can set your browser to reject all cookies, or to prompt you to accept or reject individual cookies. However, as described above, the Service will not function without cookies enabled. To opt-out of interest-based advertising by advertisers on our Service visit http://www.aboutads.info/choices/.
INFORMATION ABOUT MINORS/CHILDREN. WE NEVER COLLECT, SELL, SHARE, OR STORE INDIVIDUAL CHILD OR MINOR DATA. THE ONLY INFORMATION WE COLLECT, STORE AND USE TO PROVIDE THE SERVICES IS THE PERSONAL INFORMATION OF THE ACCOUNT CREATOR, WHO MUST BE ABOVE THE AGE OF 18. INDIVIDUALS BELOW THE AGE OF 18 (“MINORS”) SHALL NOT BE ALLOWED TO CREATE AN ACCOUNT WITHOUT THE EXPRESS PERMISSION OF A LEGAL GUARDIAN OR PARENT. IF YOU BECOME AWARE THAT WE HAVE COLLECTED PERSONAL INFORMATION FROM A MINOR WITHOUT PARENTAL OR LEGAL GUARDIAN CONSENT, PLEASE LET US KNOW BY CONTACTING US AT email@example.com, SO WE CAN TAKE APPROPRIATE ACTION.
The above information collected will collectively be referred to as “Data” throughout this Policy.
All Data that you provide to us must be true, complete and accurate, and you must notify us of any changes to any Personal Information. The Data for the Service is stored and managed on servers and third-party hosting services, including without limitation https://www.heroku.com/.
All payment data is processed and stored by a secure third-party payment gateway, such as https://stripe.com/. We are not responsible for the privacy policies of our third-party payment gateways as it relates to data like payment data that does not reside on our servers, so please read their policies carefully. We may keep small amounts of data, such as the last four numbers of a credit card, for limited purposes such as to identify whether the card you've provided has been used in a prior transaction.
Despite what we may collect, you have rights to your Data. You can always ask us to delete, modify or stop processing or sharing your Data. We will do our best to honor your request, comply with applicable laws and regulations and continue to provide the Service if possible.
Why We Collect That Information
We collect your Data in order for you to make use of the Service offered by ChipDrop, namely, providing a method of connecting home gardeners with arborists to facilitate deliveries of wood chips, and to facilitate the Network which allows home gardeners to communicate with one-another. Your Data is collected when you enter it into a form on the Website, when you navigate the Website, or when you voluntarily provide it to us in any other electronic means. We will share your Data with your permission only to (i) service partners, such as payment processors and email providers, to enable transactions you request, (ii) service partners, such as cloud hosting, which enable the Website, (iii) to other users of the Service, such as arborists, to enable the Service’s matchmaking process, and (iv) to other Network users to facilitate peer-to-peer connecting, messaging and wood chip exchange. As described below, except incident to a merger or sale of ChipDrop, we won’t sell or transfer your information without your consent. If you’ve provided us with your consent, you have the right to withdraw your consent by contacting us at firstname.lastname@example.org
We process and use the Data for purposes based on our legitimate business interests (described below), the fulfillment of our legal obligations and contracts with you, compliance with our legal obligations, and/or your consent. By accepting this Policy, you hereby agreed that we may use the Data we collect or receive:
To facilitate account creation and logon process. If you choose to link your account with us to a third-party account (such as your Google or Facebook account), we use the information you allowed us to collect from those third parties to facilitate account creation and logon process for the performance of the contract;
To send you marketing and promotional communications. You can opt-out of our marketing emails at any time;
To send administrative information and notices to you regarding Your account;
Fulfill and manage your orders, requests and other purchase;
Deliver the products and Service to You;
To facilitate the Network, should you choose to opt-in to such feature;
Send emails and communications to you unless you opt out from receiving such correspondence;
Administer credits to your account;
Request feedback and to contact you about your use of our Service;
To protect our Service from fraud by means of monitoring and prevention;
To enforce our terms, conditions and this Policy;
To respond to legal requests and prevent harm;
To manage User Accounts;
For other business purposes. We may use Your information for other business purposes, such as data analysis, identifying usage trends, determining the effectiveness of our promotional campaigns and to evaluate and improve our Service, products, marketing and your experience. We may use and store this information in aggregated and anonymized form so that it is not associated with individual end users and does not include Personal Information. We will not use identifiable Personal Information without your consent;
We may post user testimonials and comments on our Website or applications upon written notice to you, which may contain Personal Information including User Content. You have the right to request removal of such testimonial and/or comment(s) upon receiving our written notice.
When you visit a Website you do so anonymously, unless you have previously indicated that you wish ChipDrop to remember your login and password. We do log your IP address (the Internet address of your computer) to give us an idea of which parts of our website you visit and how long you spend there. ChipDrop does not link your IP address to any Personal Information unless you have logged in to a Website. When you use the Service to connect with or post information to a ChipDrop Website or server, you may be asked to provide Personal Information as you establish your account credentials, utilize the features of the Website or Service, transmit information, and otherwise engage with ChipDrop. ChipDrop has access to that Personal Information for the limited purpose of providing the Service, and for providing support to Users. Except as necessary to provide the Service or customer service, Personal Information stored on the Service is not shared with ChipDrop or other Users. You should not expect the information stored in the Service to be entirely secure. You are primarily responsible for the security of information stored on your personal computer or mobile device.
ChipDrop may collect information from Users of either the Websites or the Service, as Users engage with and use the Service or other features on a Website, for the purpose of identifying and diagnosing bugs, crashes, inconsistencies, or other problems related to the Service or Website features. The information collected may include Personal Information, particularly as that information relates to a bug report from a specific User. Normally, however, no Personal Information is shared. In addition, you will be given the opportunity to submit bug or crash reports anonymously.
With Whom and When We Share Our Information
ChipDrop does not sell, share, license, or otherwise share your Personal Information or any personally identifiable information with any entity or person, except as expressly described in this Policy or when we have a legal basis to do so, for instance with your prior written consent or a court order.
ChipDrop may send your Personal Information to other companies or people under any of the following circumstances:
When we have your consent to share or transfer the information;
When we need to share your information to provide the Service you have requested; or
When you have set options on your profile on the Website to display Personal Information, such as your email address or website, or when you opt to join the Network.
We will also disclose your Personal Information if required to do so by law, to enforce our Terms of Service and this Policy, or in urgent circumstances, to protect personal safety, the public, or ChipDrop’s Websites, software, or other services.
If we suspect fraud, we reserve the right to share required User Information and/or Personal Information to investigate such incident with other users and/law enforcement.
We will also disclose Data to third-party affiliates and partners that help us provide our Service. As of the last updated date, the following partners provide services allowing ChipDrop to provide its services to you: Google (analytics for our website), Mail Chimp (email notices), Stripe (payment processing), Papertrail (transactional emails), Heroku (website hosting), Honeybadger (server error tracking), TrackJS (browser error tracking), Papertrail (server logs) and Twilio (phone verification).
If you choose to be a part of the Network (as defined in our Terms of Service), you are agreeing and consenting for your general location, name, and User Information to be shared with other Network users looking to connect. Specifically, this means that your use of the features that allow you to communicate, or broadcast, to other users your status or location, such as a status of “has extra wood chips,” is entirely voluntary and is not required to use the Website or the Service, but if you make use of such features you “opt-in” to such data sharing. All locations and addresses will be anonymized and localized, unless you provide such detailed information to another user on the Network directly or request that we do so on your behalf. By requesting information from another Network user, you are consenting to us sharing your contact information with that Network User. Further, if you opt-in to the Network then you consent to us sending you information and requests from other Network users looking to connect with you.
The messaging feature between Network users is secure and shall only be used for appropriate, site-specific communication. The messaging service shall not be used for any other purpose, and any violation of this Agreement or law will be considered a material breach and grounds for legal intervention and termination of such users’ accounts. For instance, as described in the Terms of Service, injurious messages are prohibited and we are not responsible or liable for any damages, injuries, losses, violations, fines, fees or results arising from or related to the communication between users on the Network. Further, we are not liable for the misuse, dissemination or unauthorized access or use of the information you share with another Network user.
We will only share your contact details with other users on the Network if you request information from that user.
You have the right to change the information shared or opt-out of the Network at any time and for any reason by accessing the settings feature of your account.
In all cases where we share Data with such partners, affiliates, and service providers, we explicitly require them to acknowledge and adhere to customer data handling policies, including without limitation CCPA, GDPR, COPPA and other applicable regulations and laws. Such third parties are prohibited from using any Personal Information except for these stated purposes, and they are required to maintain the confidentiality of your Data. ChipDrop and its affiliated entities may share information with third-party data controllers, law enforcement agencies and potential transaction partners where We and our affiliated entities have a legal basis to do so.
Our Data Retention Practice
We will only keep Your Personal Information for as long as it is necessary for the purposes set out in this Policy, unless a longer retention period is required or permitted by law (such as tax, accounting or other legal requirements). When we have no ongoing legitimate business need to process your Data, we will either delete, de-identify it or anonymize it. If this is not possible (for example, because your Data has been stored in backup archives), then we will securely store your Data and isolate it from any further processing until deletion is possible.
If you have elected to receive marketing communications from us, we retain information about your marketing preferences for a reasonable period of time from the date you last expressed interest in our content or Service, such as when you last logged into your User Account. We retain information derived from cookies and other tracking technologies for a reasonable period of time from the date such information was created.
Our Data Security Measures
The security of your Personal Information is extremely important to us. When you enter sensitive information (such as your password) on our registration or order forms, we encrypt that information using secure socket layer technology (SSL).
We follow generally accepted industry standards to protect the personal information submitted to us, both during transmission and once we receive it. No method of online transmission or electronic storage is 100% secure, however. Therefore, while we strive to use commercially acceptable means to protect your personal information, we cannot guarantee its absolute security. Moreover, we are not responsible for the security of information you transmit to us over networks that we do not control, including the internet and wireless networks, or the data that is stored on your device. Although we will do our best to protect your Personal Information, transmission of Personal Information to and from our Service or apps is at your own risk. You should only access the services within a secure environment.
If you are visiting ChipDrop from a location outside of the U.S., your orders will be placed through U.S. servers and your personal information will be subject to jurisdiction in the U.S. All information you provide to us will be processed and securely maintained in web servers and internal systems located within the U.S.
Along with the above, we have the following technical safeguards in place to help keep the Data we collect safe and secure:
Unique password requirements and limited employee access;
Destruction, deletion or de-identification of Data;
Industry standard security protocols;
Secure messaging services;
Employee training on how to handle sensitive data, breach notice and procedures;
Secure Technology (SSL), server authentication and Data encryption and use of firewall to host data;
Designated security coordinator on the ChipDrop team;
Sub-processors and third-parties are bound to same security practice obligations;
If any personally identifiable data is collected through the use of the Service, we will ensure that it is destroyed, returned, or modified to make it unreadable or indecipherable, at the end of your use of the Services, unless required to be retained and maintained in original form pursuant to law enforcement, legal proceeding, court order or subpoena. Disposition shall include (1) the shredding of any hard copies of any Personal Information; (2) erasing; or (3) otherwise modifying the Personal Information in those records to make it unreadable or indecipherable.
If you have any questions about security on our Website, you can email us at email@example.com.
Data Privacy Regulations and Compliance
Children’s Online Privacy Protection Act (COPPA)
Country Specific Policies and Guidance
Global Digital Privacy Regulations (GDPR). You may have additional rights as a citizen or resident of certain jurisdictions. If you are a citizen of an EU nation, your Personal Information is protected by the provisions of the EU General Data Privacy Regulation (“GDPR”), and your nation’s laws may provide additional protections. For more information regarding your privacy rights, you may contact your national data commissioner.
Our legal basis for collecting and using information described herein will depend on the Data concerned, and the specific context in which we collect it. However, we will normally collect Personal Information and Data from you only where we have your consent to do so, where we need the Personal Information and/or Data to perform a contract with you, or where the processing is in our legitimate interests is not outweighed by your data protection interests or fundamental rights and freedoms. In some cases, we may also have a legal obligation to collect and maintain Personal Information and/or Data from you.
If we ask you to provide Personal Information and/or Data to comply with a legal requirement or to perform a contract with you, we will make this clear at the relevant time and advise you whether the provision of your Personal Information and/or Data is mandatory or not (as well as of the possible consequences if you do not provide your Personal Information and/or Data). Similarly, if we collect and use your Personal Information and/or Data in reliance on our legitimate interests (or those of any third party), we will make clear to you at the relevant time what those legitimate interests are.
Processing shall be lawful only if and to the extent that at least one of the following applies:
the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract;
processing is necessary for compliance with a legal obligation to which the controller is subject;
processing is necessary in order to protect the vital interests of the data subject or of another natural person;
processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Australia and New Zealand. If you are a citizen of Australia, your personal information is protected by the provisions of Australia’s Privacy Act 1988 (the “Act”), and its regulations. For more information regarding your privacy rights, you may contact the Office of the Australian Information Commissioner (OAIC). The OAIC’s website is located at https://www.oaic.gov.au/. If you are a citizen of New Zealand, Your personal information is protected by the provisions of New Zealand’s Privacy Act 1993 (the “Act”), and its regulations. For more information regarding your privacy rights, you may contact the Office of the New Zealand Privacy Commissioner. The Commissioner’s website is located at https://www.privacy.org.nz/.
International Transfers. ChipDrop stores Personal Information in the cloud, our servers, and the servers of our service providers. To facilitate our global operations, we may transfer and access such information from around the world, including to servers located in the United States. By providing information to ChipDrop, you consent to the transfer and storage of Personal Information in these locations.
California Consumer Protection Act (CCPA). If you are a California resident, you have certain additional rights with regard to your data under the California Consumer Privacy Act of 2018 ("CCPA") and other state laws, as further described below.
Personally Identifiable Information Collected. We may collect information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device ("Personally Identifiable Information"). In particular, we have collected the following categories of Personally Identifiable Information from our users within the last twelve months, for the purposes described herein:
Identifiers, including your name, address, IP address, and email address;
Personal information from categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)), including your name, address, telephone number, and credit card information;
Commercial information, including records of the products You used or purchased, and Your purchasing history or tendencies; and
Internet activity, including information about Your interaction with Our website and application.
Personally Identifiable Information does not include publicly available information from government records, de-identified or aggregated consumer information, or other information excluded from the CCPA's scope. We will not collect additional categories or use the Personally Identifiable Information we collected for materially different, unrelated, or incompatible purposes without providing you notice.
Sale of Personally Identifiable Information. In the preceding twelve months, we have not sold any of our users Personally Identifiable Information unless they requested a drop. You are advised that if You requested a drop, we transferred Your information at Your request to Arborist Users who are located near you, and those Arborist Users pay a fee to access our users, which is or may be defined within CCPA’s provisions as a “sale.” We do not sell our mailing lists, user information, or other information except for the purpose of facilitating drops.
Your Rights and Choices. Pursuant to the CCPA, you have the following rights regarding your Personally Identifiable Information: (1) Right to Notice; (2) Right to Access/Right to Request; (3) Right to Know; (4) Right to Delete; (5) Right to Opt-Out; (6) Right to Not Be Discriminated Against, and (7) Right to Notice of Financial Incentive.
Upon a verified request, we will provide you with this information. You have the right to request that your Personally Identifiable Information be deleted, anonymized, or not processed or shared. You can exercise these data rights by logging into your account on our Website or by emailing us at firstname.lastname@example.org
Access to Specific Information and Data Portability Rights. You have the right to request that we disclose certain information to you about our collection and use of your Personally Identifiable Information over the past twelve months. Once we receive and confirm your verifiable consumer request, we will disclose to you:
The categories of Personally Identifiable Information we collected about you;
The categories of sources for the Personally Identifiable Information we collected about you;
Our business or commercial purpose for collecting or selling that Personally Identifiable Information;
The categories of third parties with whom we share that Personally Identifiable Information;
The specific pieces of Personally Identifiable Information we collected about you (also called a data portability request);
If we disclosed your Personally Identifiable Information for a business purpose, the Personally Identifiable Information categories that each category of recipient obtained.
Deletion request rights. You have the right to request that we delete any of your Personally Identifiable Information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete or de-identify or anonymize (and direct our service providers to do the same) your Personally Identifiable Information from our records, unless an exception applies. We may deny your deletion request if retaining the information is necessary for us or our service providers to:
Complete the transaction for which we collected the Personally Identifiable Information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you;
Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities;
Debug to identify and repair errors that impair existing intended functionality;
Exercise free speech, ensure the right of another user to exercise their free speech rights, or exercise another right provided for by law;
Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 seq.);
Enable solely internal uses that are reasonably aligned with consumer expectations based on Your relationship with us; or
Comply with a legal obligation, court order or similar judicial request.
How to Exercise Your Rights. You may exercise your rights by emailing us at email@example.com with a subject of CCPA Privacy Request. Please send the email from the same address attached to your ChipDrop account to verify your identity or through your account. We will respond within 45 days with .json, .csv or screenshot files containing all your information. Only you or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to your Personally Identifiable Information. You may also make a verifiable consumer request on behalf of your minor child. You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must (i) provide sufficient information that allows us to reasonably verify you are the person about whom we collected Personally Identifiable Information or an authorized representative, and (ii) describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it. We will not be able to respond to your request or provide you with Personally Identifiable Information if we cannot verify your identity or authority to make the request and confirm the Personally Identifiable Information relates to you. Making a verifiable consumer request does not require you to create an account with us. We will only use Personally Identifiable Information provided in a verifiable consumer request to verify the requestor's identity or authority to make the request.
Response Timing and Format. We endeavor to respond to a verifiable consumer request within 45 days of its receipt. If we require more time (up to 90 days total), We will inform you of the reason and extension period in writing. If you have an account with us, we will deliver our response to that account by machine-readable and common electronic means. If you do not have an account with us, we will deliver our response by email electronically, at your option. Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request's receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your Personally Identifiable Information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.
We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell You why we made that decision and provide you with a cost estimate before completing your request.
Non-Discrimination. We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not (i) deny you goods or services as long as possible; (ii) charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties; (iii) provide you a different level or quality of goods or services; or (iv) suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services. However, deletion of your Personally Identifiable Information may hinder the performance of the Service.
Data Breach Procedure
In the event of an actual data breach or the unauthorized access or disclosure of any sensitive or personal data, we will notify you in writing as soon as possible outlining the following information:
What happened (date of breach is possible, or estimated date of incident, or the date range within which the breached occurred);
What information was involved (list the type of Personal Information);
What we are doing to help resolve or mitigate the issue (and if there was any delay in providing this notice due to law enforcement investigation);
What you can do to help us;
How you can get more information or contact us;
Information about what we have done to protect individuals whose information has been breached;
Advice on steps that the person whose information has been breached may take to protect himself or herself; and
Information about the steps we have taken to cure the breach and the estimated timeframe for such cure.