OTOY, Inc. and its affiliates and subsidiaries (“OTOY” or “we”, “us” or “our”) complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. OTOY has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. OTOY has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles and, together with the EU-US DPF Principles, the “DPF Principles”) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the DPF Principles, the DPF Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
Scope. Our certification of adherence to the DPF Principles applies to the personal data that (a) we collect from our customers and other visitors to our website for account management, billing or marketing purposes (“OTOY User Data”), (b) that we process on behalf of our customers in providing online services to them under a service agreement (“Services Data”) and (c) we collect about our employees (past or present) collected in the context of the employment relationship (“HR Data”). OTOY commits to comply with the DPF Principles as they may be updated from time to time and, to the extent applicable, cooperate with any panel established by the EU or UK data protection authorities (DPAs), including the ICO in the UK, and the Swiss Federal Data Protection and Information Commissioner (FDPIC) and comply with the advice given by the panels with regard to HR Data transferred from the EU, UK and Switzerland in the context of the employment relationship. Please contact us to be directed to the relevant DPA contacts.
Data processed. The OTOY User Data that we collect, use and share is described in our Privacy Policy. While our customers decide what Services Data to submit, it typically includes information about their own users and how they use the customer’s sites, applications and services and third party applications. We process Services Data as instructed by our customers and do not own or control Services Data.
Purposes of data processing. We collect, use and share OTOY User Data for the purposes described in our Privacy Policy. We process Services Data for the purpose of providing our online services to our customers, which may include accessing and processing the data to provide the services, to correct and address technical or service problems, to follow instructions of the customer who submitted the data, or in response to contractual requirements.
Inquiries and complaints. In compliance with the DPF Principles, OTOY commits to resolve DPF Principles-related complaints about our collection or use of your personal data. EU, UK and Swiss individuals with inquiries or complaints concerning our handling of personal data in reliance on the DPF Principles should first contact [email protected]. In compliance with the DPF Principles, OTOY commits to refer unresolved complaints concerning our handling of personal data received in reliance on the DPF Principles to the JAMS Data Privacy Framework Program, our U.S.-based third party dispute resolution provider. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://www.jamsadr.com/dpf-dispute-resolution for more information or to file a complaint. The services of the JAMS Data Privacy Framework Program are provided at no cost to you.
Arbitration. If you are located in the EEA, UK or Switzerland and neither OTOY nor our dispute resolution provider resolves your complaint, you may be entitled to invoke binding arbitration under certain conditions more fully described on the Data Privacy Framework website: https://www.dataprivacyframework.gov/.
Third parties who may receive personal data. We share OTOY User Data with third parties as described in our Privacy Policy. We may share Services Data with third parties under the following circumstances and only in accordance with the applicable customer agreements:
- Affiliates. We may disclose Services Data to our subsidiaries and corporate affiliates for use consistent with this Privacy Policy.
- Service Providers. We may employ third party companies and individuals to administer and provide the Service on our behalf (such as customer support, hosting, website analytics, email delivery, database management services). OTOY maintains contracts with these service providers restricting their access, use and disclosure of personal data in compliance with our Data Privacy Framework obligations, including the onward transfer provisions, and we may be liable if they fail to meet those obligations and we are responsible for the event giving rise to damage.
- Legal requirements. We may disclose Services Data if required to do so by law in order to (for example) respond to a subpoena or request from law enforcement, a court or a government agency, or in the good faith belief that such action is necessary (a) to comply with a legal obligation, (b) to protect or defend our rights, interests or property or that of third parties, (c) to prevent or investigate possible wrongdoing in connection with the services, (d) to act in urgent circumstances to protect the personal safety of customers, their users or the public; or (e) to protect against legal liability.
- Business Transfers. As we develop our business, we might sell or buy businesses or assets. In the event of a corporate sale, merger, reorganization, dissolution or similar event, Services Data may be part of the transferred assets.
In addition, we may be required to disclose any personal data that we process in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
We recognize that we have certain responsibilities for the processing of personal data received under the DPF Principles and subsequently transferred to a third party acting as our agent, and that we shall remain liable under the DPF Principles if such agent processes the personal information in a manner inconsistent with the DPF Principles, unless we can otherwise show that we are not responsible for the event giving rise to the damage.
Your rights to access, to limit use, and to limit disclosure. Individuals in the EEA, UK and Switzerland have rights to access personal data about them, and to limit use and disclosure of their personal data. With our Data Privacy Framework self-certification, we have committed to respect those rights. This means that if you wish to access Services Data and request that we correct, amend or delete it if it is inaccurate or processed in violation of the Data Privacy Framework, you should contact that customer with your request. We will then help them to fulfil that request in accordance with their instructions.
If your personal data includes OTOY Personal Data, you can request access to that data and request that we correct, amend, or delete it if it is inaccurate or processed in violation of the Data Privacy Framework by emailing your request to [email protected]. We may request specific information from you to help us confirm your identity and process your request. Applicable law may require or permit us to decline your request. If we decline your request, we will tell you why, subject to legal restrictions.
Amendment. We may amend this statement from time to time by posting a revised statement on this website or a similar website that replaces this website. If we amend the statement, the new statement will apply to personal data previously collected only insofar as the rights of the individual affected are not reduced. So long as we adhere to the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, we will not amend our statement in a manner inconsistent with such programs.
U.S. Federal Trade Commission Enforcement. OTOY’s commitments under the Data Privacy Framework are subject to the regulatory enforcement powers of the U.S. Federal Trade Commission.
If there is any conflict between the terms in this Data Privacy Framework Notice and the DPF Principles, the DPF Principles shall take precedence.