Esker, Inc. ("Esker"), a subsidiary of Esker, S.A., is a recognized leader in helping organizations eliminate manual processes, gain process visibility and control, and reduce the use of paper by automating the flow of documents into, within, and out of an organization. Esker respects individual privacy and values the confidence of its customers, employees, consumers, business partners, and others. Not only does Esker strive to collect, use, and disclose Personal Information in a manner consistent with the laws of the countries in which it does business, but it also has a tradition of upholding the highest ethical standards in its business practices.
Furthermore, Esker is a software company offering the Services. When you use the Services, Esker may receive personal information controlled by you about your customer's customers, clients, employees or others, and process that Personal Information at your direction. Personal Information collected pursuant to the previous sentence is held by Esker (and agents authorized to do so by Esker) for differing purposes depending upon the particular service transports or business processes selected by you. Such service transports and business processes include but not limited to one or more of the following: Postal Mail, Inbound Fax, Outbound Fax, Electronic Mail, Short Message Service, Purchasing Automation Processing, Accounts Payable, Accounts Receivable (Invoice Delivery and Cash Management), or Sales Order Processing. You may also elect to archive your documents.
This Policy sets forth how Esker manages the processing of Personal Information collected offline, manually, and through the Services provided to you, for which Esker is the data processor in the European Economic Area, Switzerland, and other countries that are part of the European Union, and subsequently transferred to the United States.
For purposes of this Policy, the following definitions shall apply:
(1) "Agent" means any third party that collects or uses personal information under the instructions of, and solely for, Esker or to which Esker discloses personal information for use on Esker's behalf.
(2) "Customer Relationship" means Customers who utilize the Esker websites www.esker.com, www.eskerondemand.com, www.flydoc.com, the Services, and the software that is downloadable through the Services-in particular the Esker Loader, On Demand Printer, and VSI-FAX Server; and provided Esker with data that has been collected from your customers. Esker is the data processor of your customers' data and not the data controller.
(3) "Esker Websites" means www.esker.com, www.eskerondemand.com, and www.flydoc.com that are directly linked to this Policy.
(4) "Personal Information" means any information or set of information that identifies or could be used by or on behalf of Esker to identify you. Personal Information may include, for example, name, signature, employee identification number, social security number, telephone number, insurance policy number, job title, financial information, account numbers, passwords, or any other information that is capable of being associated with you. Personal Information does not include aggregate data that has been divorced from identifiable characteristics.
(5) "Sensitive Personal Information" is a subset of Personal Information and includes information pertaining to your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, information related to an individual's health or sex life, as well as biometric identifiers, such as finger and voiceprints, and information as to commission or alleged commission of a criminal offense or any related proceedings.
EU-US and Swiss-US Privacy Shield Frameworks
EU-US Privacy Shield Principles
When Esker collects Personal Information directly from you online in the European Economic Area, it will inform you about the purposes for which it collects and uses Personal Information about you, the types of non-agent third parties to which Esker discloses that Personal Information, the choices and means, if any, Esker offers you for limiting the use and disclosure of Personal Information about you, and how to contact Esker. Notice will be provided in clear, conspicuous, and accurate language when you are first asked to provide Personal Information to Esker, or as soon as practicable thereafter, and in any event before Esker uses or discloses the information for a purpose other than that for which it was originally collected. Where Esker receives Personal Information from its parent company, subsidiaries, affiliates, or other entities in the European Economic Area, it will use and disclose such information in accordance with the notices provided by such entities and the choices made by the individuals to whom such Personal Information relates.
When you use the Services, Esker operates under the assumption that it is your obligation as data controller to notify your customers about the purposes for which Esker collects and uses Personal Information about them, how your customers can contact Esker with any inquiries or complaints, the types of agents to which Esker discloses your customer's Personal Information, and the choices and means offered for limiting Esker's use and disclosure. As the data processor, Esker makes available to you this Policy so that you can better understand Esker's data practices and whether they are consistent with privacy notices you make available to your customers.
When Personal Information is collected. Examples of when Esker collects Personal Information include but are not limited to the following: (a) create a user account to become a member of the Esker Websites or create an account to use the Services; (b) make online purchases; (c) register products online; (d) request technical support, or professional services for an Esker product; (e) register for webcasts; (f) request information or materials (e.g., whitepapers); (g) participate in surveys, evaluations,promotions, contests, giveaways, or online chats; (h) submit questions or comments to Esker; and (i) attend conventions, trade shows, and expositions.
Types of Personal Information Collected. The types of Personal Information which may be collected include but are not limited to the following: (a) your first and last name; (b) your title and your company's name; (c) your home, billing, or other physical address (including street name, name of a city or town, state/province); (d) your e-mail address; (e) your telephone number; (f) your fax number; (g) any other identifier that permits Esker to make physical or online contact with you; and (h) any information that Esker collects online from you and maintains in association with your account, such as your Esker username and password.
How Personal Information is used. Examples of how Esker may use the Personal Information you provide include, but are not limited to the following: (a) create and maintain your accounts; (b) process, fulfill, and follow-up on your orders and special requests; (c) register your products; (d) answer your questions; (e) register you in programs (per your request); (f) send you marketing surveys and information; (g) provide you with information related to your account and the products and/or services you purchased from Esker; (h) to better understand your needs and interests; (i) internally at Esker and Esker, S.A. and its affiliates to improve and develop Esker’s products and services; (j) personalize communications; (k) customize the Service for your specific needs; (l) prevent and detect fraud and abuse in order to protect your security and the security of Esker’s customers; and (m) comply with legal obligations. Any other information transferred by you in connection with its visit to the Esker Websites-that is information that cannot be used to identify you-may be included in databases owned and maintained by Esker or its agents. Esker retains all rights to these databases and the information contained in them.
Esker's Agents. Esker engages service providers and suppliers (“agents”) to perform certain functions on Esker’s behalf such as: information processing, extending credit, fulfilling orders, delivering products to you, managing and enhancing your data, providing customer service, assessing your interest in Esker products and services, data analysis, auditing services, and conducting legitimate research or marketing satisfaction surveys. Those agents will be permitted to process Personal Information only to perform the services specified by Esker. They are required to maintain the confidentiality of the information and are prohibited from using it for any other purpose. Each agent has entered into written terms with Esker requiring that the agent abide by terms no less protective than Esker’s own privacy standards.
Internet Protocol ("IP") Addresses. An IP Address is a number assigned to your computer by your internet service provider so that you can access the internet. Generally, an IP Address changes each time you connect to the internet. However, if you have a broadband connection, depending on the circumstances, it is possible that the IP Address that Esker collects, or even perhaps a cookie Esker uses, may contain Personal Information that could be deemed identifiable. This is because with some broadband connections your IP Address doesn't change and could be associated with your personal computer. Esker uses your IP Address to report aggregate information on use and to help improve the Esker Websites.
Postings on the Esker Websites/Esker Blogs/Community Forums. Esker posts your testimonials/comments/reviews on the Esker Websites which may contain Personal Information. Esker obtains your consent via email prior to posting the testimonial to post your name along with your testimonial. Esker Websites offer publicly accessible blogs or community forums such as blog.esker.com. You should be aware that any Personal Information you provide in these areas may be read, collected, and used by others who access them. Esker shall not be responsible or liable for the Personal Information you choose to submit in these forums.
Esker Newsletters and Marketing E-mails. Esker may use your Personal Information to send you newsletters and/or marketing e-mails. You may choose to stop receiving Esker's newsletter or marketing emails by following the unsubscribe instructions included in the emails or by contacting Esker at email@example.com.
Esker Operations. To facilitate Esker's global operations, Esker may transfer and access data about you from around the world, including the United States and Europe. This Policy shall apply even if Esker transfers data about you to other countries. Esker may provide your Personal Information to a third party in connection with the sale, assignment, or other transfer of the business of the Esker Websites to which the Personal Information relates, in which case Esker will require any such buyer to agree to treat your Personal Information in accordance with this Policy.
Esker E-Invoicing. Depending upon which of the Services you use, Esker will send to you your invoice as an e-invoice through the Esker Accounts Receivable on Demand Web Portal. When necessary, the e-invoice sent by Esker will be signed electronically by the third party, Trustweaver, and archived electronically as required by applicable laws. You may opt-out of receiving your e-invoice via the Esker Accounts Receivable on Demand Web Portal at any time by contacting Esker at www.esker.com/myinvoices.
Third Party E-Commerce Solutions Provider. Esker's shopping cart is hosted by its e-commerce solutions provider, who hosts Esker's ordering system and collects Personal Information and/or Sensitive Personal Information that pertains to billing-such as your credit card number-directly from you for the purpose of processing your order. When you place your order and hit the "payment" box, you are navigated away from the Esker Websites and taken directly to the website of Esker's e-commerce solutions provider to provide your Personal Information and/or Sensitive Personal Information and complete your order. Esker does not access, use, or store the Personal Information or Sensitive Personal Information that pertains to your billing information. This Policy does not apply to Esker's e-commerce solutions provider. You should read the privacy statement of Esker's e-commerce solutions provider with regards to how it accesses, handles, and storage your Personal Information and/or sensitive Personal Information.
Bundled and Rebranded Relationship with Third Parties. Esker may enter into relationships with third parties who bundle the Services with their products or rebrand the Services with their own logo. When Esker enters into these types of relationships Esker will not share your Personal Information with these third parties. This Policy does not apply to the Personal Information collected by these third parties when the Services are bundled with their products or when they rebrand the Services with their own logo. Esker recommends you contact these third parties directly for information on their privacy, security, data collection, and distribution policies.
When you use the Services, Esker offers its customers a choice to opt-out of uses and disclosures of their data that are incompatible with the purposes for which that data was originally collected or subsequently authorized. Esker operates under the assumption that it is generally your obligation as data controller to obtain from your customers the appropriate consent to transfer and process their data to Esker. As your data processor, Esker will not share, sell, rent, or trade with third parties for their marketing purposes any of your data or your customer's data collected by us, unless you direct us to do so and have the appropriate authorization to do so. In the event Personal Information is to be used for a new purpose incompatible with the purposes for which the data was originally collected or subsequently authorized or transferred to the control of a third party that is not acting as an agent of Esker's, data subjects are given notice of such use and, where feasible and appropriate, an opportunity to decline to have their data so used or transferred. In the event that Sensitive Personal Information is to be used for a new purpose or transferred to the control of a third party not acting as an agent of Esker's, the data subject's explicit consent will be obtained prior to the new use or transfer of the data, unless such new use or transfer is: (1) in the vital interests of the data subject or another person; (2) necessary for the establishment of Esker's legal claims of defenses; (3) required to provide medical care or diagnosis; (4) necessary to carry out Esker's obligations in the field of employment law; or (5) related to data that are manifestly made public by the data subject. In these cases, data subjects are given notice of such use.
ACCOUNTABILITY OF ONWARD TRANSFER
Except as described in this Policy, Esker will not share your Personal Information with third-party agents without your consent. In those instances in which Esker shares Personal Information, Esker will ensure that the third-party agent is contractually obligated to process your Personal Information only for limited, specific purposes consistent with this Policy. Esker will also ensure that the third-party agent will apply the same level of protection to your Personal Information as the EU-US Privacy Shield Principles and will notify Esker and stop processing your Personal Information if they make a determination that they can no longer meet their obligations. Esker remains responsible and liable under the EU-US and Swiss-US Privacy Shield Principles if third-party agents that it engages to process the Personal Information on its behalf do so in a manner inconsistent with the EU-US and Swiss-US Privacy Shield Principles, unless Esker proves that it is not responsible for the event giving rise to the damage.
Esker takes reasonable and appropriate physical, technical, and organizational precautions to protect your Personal Information in its possession from loss, misuse, unauthorized access, disclosure, alteration, and destruction. Even with having all these safeguards in place, no method of transmission over the internet is 100% secure and Esker does not guarantee the security of Personal Information transmitted via the Internet. Esker has adopted security and operational policies to protect Personal Information. These policies include technical and organizational security measures, including without limitation, password protections for online information systems, restricted access to Personal Information, and industry standard technical security measures. Specifically, with regards to the Esker Websites, Esker hosts the Esker Websites in a secure server environment that uses firewalls, intrusion detection systems, and other advanced technology to prevent interference or access from outside intruders. Furthermore, Esker uses Secure Socket Layer technology on the Esker Websites to encrypt Personal Information when Personal Information is sent on the Esker Websites. Additionally, Esker annually trains its employees on the EU-US Privacy Shield Principles, the Swiss-US Privacy Shield Framework, this Policy, its other internal security policies, and makes this Policy available to Esker's business partners. Esker and its business partners enter into agreements which require that care and precautions be taken to prevent loss, misuse, unauthorized access, disclosure, alteration, and destruction of your Personal Information.
DATA INTEGRITY AND PURPOSE LIMITATION
Esker will use Personal Information only in ways that are compatible with and relevant for the purposes for which it was collected or subsequently authorized by you. Esker takes reasonable and appropriate physical, technical, and organizational measures to ensure that Personal Information is relevant to its intended use, accurate, complete, reliable, and current. Esker will retain the Personal Information for no longer than is necessary for the purposes for which the Personal Information was collected or for which it is to be further processed. In any case a storage period is notified in advance and not expired yet, and you agree on a specific storage period, Personal Information will be stored for the agreed period. Upon the termination of the Services, Esker discards any record with Personal Information as well as those provided to third parties. (Note: unless otherwise agreed upon between the parties in writing, an actual discard occurs within sixty (60) days after the termination of any service agreement in order to prevent from re-registration during the grace period). Please note that Esker may be required to release an individual's personal information in response to lawful requests by public authorities including to meet national security and law enforcement requirements.
Esker acknowledges the right of individuals to access their personal data. If you utilize any of the Services, you can ensure your contact information and preferences are accurate, complete, and up-to-date by logging in to your account, clicking on the "set-up" link, and accessing the menu items found on the left-hand side. For all Personal Information linked to your billing information, you must contact Esker at firstname.lastname@example.org. Upon request, Esker will grant you reasonable access to Personal Information that Esker holds about you. Esker will also take reasonable measures to permit you to correct, amend, or delete information that is demonstrated to be inaccurate or incomplete, except where the burden or expense of providing access would be disproportionate to the risks to your privacy in the case in question or where the rights or privacy of persons other than you would be violated. Furthermore, data subjects must have access to Personal Information about them that an organization holds, and that they be able to correct, amend, or delete that information where it is inaccurate. Esker operates under the assumption that it is generally your obligation as data controller to provide your clients a means of accessing their data.
RECOURSE, ENFORCEMENT AND LIABILITY
Esker is subject to the investigatory and enforcement powers of the United States Federal Trade Commission. To ask questions regarding this Policy or any of Esker's privacy practices, or to request the deletion of Personal Information, you can contact Esker at:
Attn: General Counsel/Chief Compliance Officer
1850 Deming Way, Ste. 150
Middleton, WI 53562
In compliance with the EU-US and Swiss-US privacy Shield Principles, Esker commits to resolve complaints about your privacy and Esker's collection or use of your Personal Information. European Union or Swiss individuals with inquiries or complaints regarding this Policy should first contact Esker at:Esker, Inc.
Attn: General Counsel/Chief Compliance Officer
1850 Deming Way, Ste. 150
Middleton, WI 53562
Esker has further committed to refer unresolved privacy complaints under the EU-US and Swiss-US Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU Privacy Shield, operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit http://www.bbb.org/EU-privacy-shield/for-eu-consumers/ for more information and to file a complaint. This recourse mechanism is available at no cost to you. Under certain limited conditions it is possible to invoke binding arbitration before the Privacy Shield Panel which will be created by the U.S. Department of Commerce and the European Commission.
For EU Individuals: Your Rights under the General Data Protection Regulation (“GDPR”)
EU Individuals may lodge privacy complaints or enforce their GDPR rights with a supervisory authority listed at: http://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index en.htm. The Global Data Protection Officer for Esker can be contacted at email@example.com and the Chief Compliance Officer in the United States can be contacted at firstname.lastname@example.org.
For California Residents: Your Rights under the California Consumer Privacy Act of 2018 (“CCPA”)
If you are a California resident, Esker processes your Personal Information in accordance with the CCPA. Except as what is specified under the applicable laws, EU Individuals are not entitled to CCPA rights and California residents are not entitled to GDPR rights. Esker does not sell, rent, trade, or lease your Personal Information. Thus, Esker does not offer an opt-out to the sale of Personal Information. In the preceding twelve (12) months, Esker has not sold Personal Information. Esker will not discriminate against you for exercising any of your CCPA rights.
Under the CCPA, you have the right to request that Esker disclose certain information to you about its collection and use of your Personal Information over the past twelve (12) months. Once Esker receives and confirms your verifiable consumer request, Esker will disclose to you: (1) the categories of Personal Information collected about you, (2) the categories of sources for the Personal Information collected about you, (3) Esker’s business or commercial purposes for collecting or selling the Personal Information, (4) the specific pieces of Personal Information collected about you, and (5) if your Personal Information is sold or disclosed for a business purpose, Esker will identify the Personal Information sold, who it was sold to, and for what business purpose. Under the CCPA, you have the right to request that Esker delete your Personal Information. Once Esker receives and confirms your verifiable consumer request, Esker and any of its applicable agents will delete your Personal Information from its records, unless an exception under the CCPA applies.
To exercise any of the above-referenced rights, please submit a verifiable consumer request to Esker using any one of the options specified above in the section entitled “Recourse, Enforcement and Liability”. Only you, or a person registered with the California Secretary of State that you authorized to act on your behalf, may make a verifiable consumer request related to your Personal Information. You may only make a verifiable consumer request twice within a twelve-month period. Additional information may be requested by Esker to verify your identity before honoring the request. Esker will use reasonable commercial efforts to respond to a verifiable consumer request within forty-five (45) days of its receipt. If Esker requires up to ninety (90) days to respond, written notification will be sent to you advising of the reason for the delay. In the event Esker determines in good faith that a verifiable consumer request is excessive, repetitive, or unfounded, a fee may be charged. In such a case, Esker shall notify you in writing and provide you with reasons for the fee and a cost estimate before completing your request.
Other California Privacy Rights
California Civil Code Section 1798.83 permits you to request information regarding the disclosure of your Personal Information by us to third parties for the third parties’ direct marketing purposes. California Business and Professions Code Section 22581 permits registered users who are minors to request and obtain deletion of certain posted content. California Business and Professions Code Section 22575 requires an operator of a commercial website that collects Personally Identifiable information about California residents to disclose how it responds to web browser "do not track" signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about online activities over time. Because there is currently no industry standard on responding to such signals or mechanisms, Esker does not respond to them at this time.
The Esker Websites contain electronic images known as web beacons (sometimes called single-pixel gifs) which may be used in some of Esker's emails to let Esker know which emails and links have been opened by recipients. Some of Esker's business partners also employ web beacons that help it better manage content on the Esker Websites. However, Esker has no access to or control over such web beacons.
Third Party Cookies
On rare occasions it is necessary to send out a strictly service related announcement. For instance, if the Services are temporarily suspended for maintenance Esker might send you an email. Generally, users may not opt-out of these communications. These communications are not promotional in nature.
Children are restricted from customer registration and buying products/services on the Esker Websites. Furthermore, Esker does not knowingly collect or solicit any Personal Information from anyone under the age of thirteen (13) through the Esker Websites. If Esker learns that it has Personal Information on a child under the age of thirteen (13), then that Personal Information will be immediately deleted from Esker’s systems. If you are a parent or legal guardian and think your child under thirteen (13) has provided Esker with information, please contact Esker at email@example.com.
Changes to this Policy
Esker may amend this Policy from time-to-time, consistent with the requirements of the EU-US Privacy Shield Principles and the Swiss-U.S. Privacy Shield Framework. When Esker does update this Policy, it will also revise the "Last Updated" date at the bottom of this Policy. Any material changes to this Policy will also be posted at https://www.esker.com/privacy-policy/
December 30, 2019