Privacy Notice

Updated: March 17, 2021

About Us

We are a global company based in San Francisco, California, USA. We provide documentation automation software as a service that helps companies streamline processes to create, approve and eSign proposals, quotes, contracts and other documents. Companies that use our services can provide their customers with a more professional, timely and engaging experience. 

About this Privacy Notice

This Privacy Notice sets forth the handling practices of PandaDoc, Inc. (variously, “PandaDoc”, “we”, “our” or “us”) and its affiliates in regard to the collection, usage and disclosure of personal data or personal information that you may provide to us through using this website (www.pandadoc.com) (the “Website”), or by using any product or service provided by PandaDoc (the “Services”).

If you do not accept this Privacy Notice and/or do not meet and/or comply with the provisions set forth herein, then you should not use our Website.

Types of Information We Collect

The following provides examples of the type of information that we collect from you and how we use that information.

ContextTypes of DataPrimary Purpose for Collection
and Use of Data
Client InformationWe collect the name, username, and contact information, of our clients and their employees with whom we may interact.We have a legitimate interest in contacting our clients and communicating with them concerning normal business administration such as projects, services, and billing.
Client User Account informationWe collect personal data from our clients when they create an account to access and use the Services or request certain free Services from our Website. This information could include business contact information such as name, email address, title, company information, industry, and password for our services.We have a legitimate interest in providing account-related functionalities to our users, monitoring account log-ins, and detecting potential fraudulent logins or account misuse. Additionally, we use this information to fulfill our contract to provide you with Services.
Contact Information of vendorsUsers of our service may ask their vendors or service providers to submit company and security-related information on our platform (e.g., to complete a security questionnaire). When a user invites a vendor we collect the name and email address of the vendor.We have a legitimate interest in contacting vendors on behalf of our clients in order to invite them to communicate with companies through our platform. Among other things, the communication allows our clients to efficiently solicit, and receive, security questionnaires, and allows vendors to efficiently solicit, and transmit security questionnaires. Additionally, we use this information to fulfill our contract to provide services which may include soliciting, receiving, transmitting, and hosting responses to security questions.
Account Information – VendorsWe collect personal data from vendors when they create an account to access and use the Services or request certain free Services from our Website. This information could include business contact information such as name, email address, title, company information, and password for our services.We have a legitimate interest in providing account related functionalities to our vendor-users, monitoring account log-ins, and detecting potential fraudulent logins or account misuse. Additionally, in some cases, we use this information to fulfill our contract to provide vendor-users with Services.
Cookies and first party trackingWe use cookies and clear GIFs. “Cookies” are small pieces of information that a website sends to a computer’s hard drive while a web site is viewed.We have a legitimate interest in making our website operate efficiently.
Email InterconnectivityIf you receive email from us, we use certain tools to capture data related to when you open our message, click on any links or banners it contains and make purchases.We have a legitimate interest in understanding how you interact with our communications to you.
EmploymentWhen you apply for a job posting, or become an employee, we collect information necessary to process your application or to retain you as an employee. This may include, among other things, your Social Security Number. Providing this information is required for employment.
We collect personal data from you contained in any inquiry you submit to us regarding our Website or Services, such as completing our online forms, calling, or emailing for the purposes of general inquiries, support requests, or to report an issue. When you communicate with us over the phone, your calls may be recorded and analyzed for training, quality control and for sales and marketing purposes. During such calls we will notify you of the recording via either voice prompt or script. 
When you subscribe to one of our mailing list(s), we collect your email address or postal address. 
We collect information from your mobile device when visiting our Website. Such information may include operating system type and/or mobile device model, browser type, domain, and other system settings, the language your system uses and the country and time zone of your device, geo-location, unique device identifier and/or other device identifier, mobile phone carrier identification, and device software platform and firmware information.
We have a legitimate interest in identifying unique visitors, and in understanding how users interact with us on their mobile devices.
SurveysWhen you participate in a survey we collect information that you provide through the survey. If the survey is provided by a third party service provider, the third party’s privacy policy applies to the collection, use, and disclosure of your information. Participation in any such surveys is completely voluntary and you therefore have a choice whether to disclose such information.We have a legitimate interest in understanding your opinions, and collecting information relevant to our organization.
Website interactionsWe use technology to monitor how you interact with our website. This may include which links you click on, or information that you type into our online forms. This may also include information about your device or browser.We have a legitimate interest in understanding how you interact with our website to better improve it, and to understand your preferences and interests in order to select offerings that you might find most useful. We also have a legitimate interest in detecting and preventing fraud.
Web logsWe collect information, including your browser type, operating system, Internet Protocol (IP) address (a number that is automatically assigned to a computer when the Internet is used), domain name, click-activity, referring website, and/or a date/time stamp for visitors.We have a legitimate interest in monitoring our networks and the visitors to our websites. Among other things, it helps us understand which of our services is the most popular.

In addition to the information that we collect from you directly, we may also receive information about you from other sources, including third parties, business partners, our affiliates, or publicly available sources. For example, if you submit a job application, or become an employee, we may conduct a background check.

Use and Processing of Personal Information

In addition to the purposes and uses described above, we use information in the following ways: 

Although the sections above describe our primary purpose in collecting your information, in many situations we have more than one purpose. For example, if you sign up for Services, we may collect your information to complete that transaction, but we also collect your information as we have a legitimate interest in maintaining your information after your transaction is complete so that we can quickly and easily respond to any questions about your Services. As a result, our collection and processing of your information is based in different contexts upon your consent, our need to perform a contract, our obligations under law, and/or our legitimate interest in conducting our business.

Sharing of Information

In addition to the specific situations discussed elsewhere in this policy, we may share personal information in the following situations: 

Except as otherwise stated in this Privacy Notice, we do not sell, trade, rent or otherwise share for marketing purposes your Personal Data with third parties without your consent. 

Retention of Your Personal Information

The length of time for which we retain personal information depends on the purposes for which we collected and use it and/or as required to comply with applicable laws. Where there are technical limitations that prevent deletion or anonymization, we safeguard personal information and limit active use of it.

See the Section “Your Choices” about storage of your personal information.

How We Protect Your Personal Information 

We implement security measures designed to protect your personal information from unauthorized access. We apply these tools based on the sensitivity of the personal information we collect, use, and store, and the current state of technology. We protect your personal information through technical and organizational security measures to minimize risks associated with data loss, misuse, unauthorized access, and unauthorize disclosure and alteration. We periodically review our information collection, storage and processing practices, including technical and organizational measures, to guard against unauthorized access to systems.  Your account is protected by your account password and we urge you to take steps to keep your personal information safe by not disclosing your password and by logging out of your account after each use.  

Because the internet is not a completely secure environment, PandaDoc cannot warrant the security of any information you transmit to PandaDoc or guarantee that information on the Website may not be accessed, disclosed, altered and/or destroyed by breach of any of our physical, technical and/or managerial safeguards. In addition, while we take reasonable measure to ensure that service providers keep your information confidential and secure, such service provider’s practices are ultimately beyond our control. 

We are not responsible for the functionality, privacy and/or security measures of any other organization. By using our Website, you acknowledge that you understand and agree to assume these risks. You may ask for a list of technical and organizational measures taken to protect your personal data by e-mailing us at: privacyteam@pandadoc.com.

Your Choices 

You may take the below actions to change or limit the collection or use of your personal information. 

Promotional Emails. You may choose to provide us with your email address for the purpose of allowing us to send free newsletters, surveys, offers, and other promotional materials to you, as well as targeted offers from third parties. You can stop receiving promotional emails by following the unsubscribe instructions in e-mails that you receive. If you decide not to receive promotional emails, we may still send you service related communications.

Online Tracking. We do not currently recognize automated browser signals regarding tracking mechanisms, which may include “Do Not Track” instructions.

Device and Usage Information. If you do not want us to see your device location, you can turn off location sharing on your device, change your device privacy settings, or decline to share location on your browser.

Closing Your Account. If you wish to close your account, please log in to your account and edit your plan.

Your Privacy Rights

Under the GDPR, EU residents have the existence of certain choices with respect to their personal information. You can make the following choices regarding your personal information:

Access to Your Personal Information. You may request access to your personal information by contacting us at the address described below. If required by law, upon request, we will grant you reasonable access to the personal information that we have about you. We will provide this information in a portable format, if required. Note that California residents may be entitled to ask us for a notice describing what categories of personal information (if any) we share with third parties or affiliates for direct marketing. 

Changes to Your Personal Information. We rely on you to update and correct your personal information. Our website(s) allow you to modify or delete your account profile. If our website does not permit you to update or correct certain information, you may contact us at the address described below in order to request that your information by modified. Note that we may keep historical information in our backup files as permitted by law. 

Deletion of Your Personal Information. Typically, we retain your personal information for the period necessary to fulfill the purposes outlined in this notice, unless a longer retention period is required or permitted by law. You may, however, request information about how long we keep a specific type of information, or request that we delete your personal information by contacting us at the address described below. If required by law we will grant a request to delete information, but you should note that in many situations we must keep your personal information to comply with our legal obligations, resolve disputes, enforce our agreements, or for another one of our business purposes.

Complaints and Objections to Certain Processing. We are committed to resolving valid complaints about your privacy and our collection or use of your personal information.  For questions or complaints regarding our data use practices or Privacy Notice please contact us at privacyteam@pandadoc.com .

Revocation of Consent. If you revoke your consent for the processing of personal information then we may no longer be able to provide you services. In some cases, we may limit or deny your request to revoke consent if the law permits or requires us to do so, or if we are unable to adequately verify your identity. You may revoke consent to processing (where such processing is based upon consent) by contacting us at the address described below.

You may exercise these rights by contacting us at privacyteam@pandadoc.com.

We will respond to any such request in a timely manner as specified by the GDPR. If we need more time to fulfill your request, we will let you know in advance. We will not exceed the legally specified time limit under any circumstance.

Note that, as required by law, we will require you to prove your identity. We may verify your identity by phone call or email. Depending on your request, we will ask for information such as your name or other account information. We may also ask you to provide a signed declaration confirming your identity. Following a request, we will use reasonable efforts to supply, correct or delete personal information about you in our files.

In some circumstances, you may designate an authorized agent to submit requests to exercise certain privacy rights on your behalf. We will require verification that you provided the authorized agent permission to make a request on your behalf. You must provide us with a copy of the signed permission you have given to the authorized agent to submit the request on your behalf and verify your own identity directly with us. If you are an authorized agent submitting a request on behalf of an individual you must attach a copy of the following information to the request:

  1. A completed, signed Authorized Agent Designation form indicating that you have authorization to act on the consumer’s behalf.
  2. If you are a business, proof that you are registered with the Secretary of State to conduct business in California.

If we do not receive both pieces of information, the request will be denied.

Other Important Information

The following additional information relates to our privacy practices:

International Data Transfers. Our company operates globally and has a global infrastructure. We utilize cloud computing which means your  personal data may be transferred to a country with data protection laws not as strong as where you reside.  We will transfer your Personal Data to countries deemed having adequate levels of data protection as determined by the European Commission.

If we share your personal information with entities located in the United States or other non-EEA jurisdictions which, according to the European Commission, do not offer an adequate level of protection to personal information we will rely on a variety of methods for lawful cross-border transfers. We may implement specific contracts, approved by the European Commission, which ensure the same protection to personal information as granted in the EEA, or other appropriate solutions to address cross-border transfers as required or permitted by Articles 46 and 49 of the GDPR.  Where required by such laws, you may request a copy of the suitable mechanisms we have in place by contacting us.

EU-/Swiss-U.S. Privacy Shield Frameworks Participation. In addition to the mechanisms set out above, we were previously certified to the EU-US Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the EU to the United States. However, as of July 16, 2020 the Court of Justice of the European Union (CJEU) invalidated the EU-US Privacy Shield, and we can no longer rely on our EU-US Privacy Shield Framework certification for  transfers of  personal information from the European members countries to the US.  Instead, we rely on other appropriate safeguards recognized by the GDPR to effectuate such transfers set out above.  We will continue to apply the Privacy Shield Principles to the personal information that we received from the European member states prior to July 16, 2020.

Our participation in and certification of our compliance with the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework is set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries, the United Kingdom, and Switzerland transferred to the United States pursuant to Privacy Shield. By participating in the Privacy Shield Frameworks, we agreed to subject our compliance to the regulatory enforcement of the Federal Trade Commission (“FTC”) or any other statutory body empowered to enforce compliance with the Principles.

If there is any conflict between the policies in this Privacy Notice and data subject rights under the Privacy Shield Principles, the Privacy Shield Principles shall govern in relation to us. On a case-by-case basis, we will comply with certain lawful requests to disclose personal information from public authorities, including to meet national security or law enforcement requirements. To learn more about the Privacy Shield program, and to view our certification page, please visit https://www.privacyshield.gov/.

Our contractual accountability for personal information we receive under the Privacy Shield and subsequently transfer to a third party is described in the Privacy Shield Principles. In particular, we remain responsible and liable under the Privacy Shield Principles if third-party agents that we engage to process personal information on our behalf do so in a manner inconsistent with the Principles, unless we prove that we are not responsible for the event(s) giving rise to the damage.

Children and Minors. PandaDoc does not knowingly collect personal data from children under the age of thirteen (13). If we learn that we have collected Personal Information from a child under age thirteen (13), we will delete such information as quickly as possible. If you believe that a child under the age of thirteen (13) may have provided us Personal Information, please contact us at: privacy@PandaDoc.com. By using the Website, you represent that you are at least eighteen (18) years old and understand that you must be at least eighteen (18) years old in order to create an account and/or purchase the goods and/or services through the Website.

Third Party Websites and Services. We have no control over the privacy practices of websites or applications that we do not own. We are not responsible for the practices employed by any websites and/or services linked to and/or from our Website, including the information and/or content contained therein. Please remember that when you use a link to go from our Website to another website and/or service, our Privacy Notice does not apply to such third-party websites and/or services. Your browsing and interaction on any third-party website and/or service, including those that have a link on our Website, are subject to such third-party’s own rules and policies. In addition, you agree that we are not responsible and do not have control over any third-parties that you authorize to access your personal data. If you are using a third-party website and/or service and you allow them to access your personal data, you do so at your own risk.

Accessibility. If you are visually impaired, you may access this notice through your browser’s audio reader.

Changes to our Privacy Notice

In general, changes will be made to this Privacy Notice to address new or modified laws and/or new or modified business procedures. However, we may update this Privacy Notice at any time, with or without advance notice, so please review it periodically. We may provide you additional forms of notice of modifications and/or updates as appropriate under the circumstances. Your continued use of the Website after any modification to this Privacy Notice will constitute your acceptance of such modifications and/or updates. You can determine when this Privacy Notice was last revised by referring to the date it was last “Updated” above.

Contacting Us

For questions or complaints regarding our use of your personal information or Privacy Notice, please contact us at: privacyteam@pandadoc.com or PandaDoc, Inc., Attention: Privacy Department, 3739 Balboa St. #1083, San Francisco, CA 94121.

——-

California Privacy Notice Addendum

YOUR CALIFORNIA PRIVACY RIGHTS

This section applies only to California residents. Under California Civil Code Sections 1798.83-1798.84, California residents are entitled to receive: (a) information identifying any third-party companies to whom PandaDoc may have disclosed Personal Information to for direct marketing, within the past year; and (b) a description of the categories of Personal Information disclosed. To obtain such information, please email your request to privacyteam@pandadoc.com and we will provide a list of categories of Personal Information disclosed within thirty (30) days after receiving such a request. This request may be made no more than once per calendar year. We reserve the right not to respond to requests submitted in ways other than those specified above. 

PERSONAL INFORMATION WE COLLECT AND HOW WE COLLECT IT

We collect the type of information described in this California Privacy Notice Addendum and in the Privacy Notice, which includes Personal Information, in the manner described herein and in the Privacy Notice. “Personal Information” means information that identifies, relates to, or could reasonably be linked directly or indirectly with a particular California resident, including without limitation information that identifies or could reasonably be linked, directly or indirectly, with a particular consumer or device. Personal Information does not include (i) publicly available information from government records; (ii) deidentified or aggregated consumer information; or (iii) information excluded from the scope of the California Consumer Privacy Act (“CCPA”) such as health and medical information. If you do not provide the information that we ask for, we may not be able to provide you with the requested services. 

We collect Personal Information for the business purposes described in our Privacy Notice. The CCPA defines a “business purpose” as the use of Personal Information for the business’s operational purposes, or other notified purposes, provided the use of Personal Information is reasonably necessary and proportionate to achieve the operational purpose for which the Personal Information was collected or another operational purpose that is compatible with the context in which the Personal Information was collected.

The categories of other individuals or entities with whom we may share your Personal Information are listed in our Privacy Notice under “Sharing of Information”.

We have collected the following categories of Personal Information within the last twelve (12) months:

CategoryInformation
Identifiers.First name, last name, postal address, unique personal identifier, online identifier, internet protocol address, email address, email data, website usage data, account name, or other similar identifiers.
Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)).First name, last name, postal address, unique personal identifier, online identifier, internet protocol address, email address, email data, website usage data, account name, financial information, or other similar identifiers.
 
Note, some personal information included in this category may overlap with other categories.
Commercial information.Records of services purchased.
Internet or other similar network activity.Browsing history, search history, information on a consumer’s interaction with our website.
Geolocation data.Physical location via internet protocol address.
Professional or employment-related information.Current or past job history or performance evaluations, background information.

USE OF PERSONAL INFORMATION

For more information about how we collect your Personal Information, please see the “Types of Information We Collect” and “Use and Processing Your Information” sections of our Privacy Notice.

SHARING PERSONAL INFORMATION 

We share Personal Information as further described in the “Sharing of Information” section of the Privacy Notice. We also disclose the categories of third-parties to whom we disclosed Personal Information for business purposes is described in the same section. 

RIGHTS OF CALIFORNIA RESIDENTS

If you are a California resident, the CCPA provides you with specific rights regarding your Personal Information, subject to certain exceptions.  For instance, we cannot disclose specific pieces of Personal Information if the disclosure would create a substantial, articulable, and unreasonable risk to the security of the Personal Information, your account with us, or the security of our network systems.  These rights are explained below:

REQUEST FOR INFORMATION

Pursuant to Section 1798.83 of the California Civil Code (California’s “Shine the Light” law), residents of California have the right to request from a business, with whom the California resident has an established business relationship, certain information with respect to the types of personal information the business shares with third-parties for such third-parties’ direct marketing purposes and the identities of the third-parties with whom the business has shared such information during the immediately preceding twelve (12) month period. 

VERIFICATION ON CONSUMER REQUEST AND TIMELINE

To assert your right to know, to access, or to delete your Personal Information, please contact us as set forth below.  

To confirm your identity, It is imperative that we verify the consumer request and so you must provide information that allows us to reasonably verify that you are the person about whom we collected the Personal Information or are an authorized representative. If you make a request on behalf of another person, we will need to verify that you have the authority to do so. You must also describe the request with sufficient detail that allows us to properly understand, evaluate and respond to such request. We cannot respond to your request or provide you with Personal Information if we cannot verify your identity or authority to make the request and confirm the Personal Information relates to you. We will not honor your request if an exception to the law applies.

We will respond to requests within forty-five (45) days after our receipt of such verifiable request (or within such other time as required by applicable law). If we need additional time, we will notify you in writing prior to the expiration of the forty-five (45) day period and inform you of the reason for an additional forty-five (45) day extension of time. For the avoidance of doubt, any such requests for Personal Information will cover the twelve (12) month period immediately preceding the date of such verifiable request. A disclosure of Personal Information in response to such a request will be provided in a commonly used format. For more information about requests, please see the “Your rights and controlling your personal information” section of the Privacy Notice. 

Send us an email at privacyteam@pandadoc.com or you can also send a request in writing to PandaDoc, Inc., Attention: Privacy Department, 3739 Balboa St. #1083, San Francisco, CA 94121 to exercise any of the foregoing.