Updated: March 17, 2021
We are a global company based in San Francisco, California, USA. We provide documentation automation software as a service that helps companies streamline processes to create, approve and eSign proposals, quotes, contracts and other documents. Companies that use our services can provide their customers with a more professional, timely and engaging experience.
About this Privacy Notice
This Privacy Notice sets forth the handling practices of PandaDoc, Inc. (variously, “PandaDoc”, “we”, “our” or “us”) and its affiliates in regard to the collection, usage and disclosure of personal data or personal information that you may provide to us through using this website (www.pandadoc.com) (the “Website”), or by using any product or service provided by PandaDoc (the “Services”).
If you do not accept this Privacy Notice and/or do not meet and/or comply with the provisions set forth herein, then you should not use our Website.
Types of Information We Collect
The following provides examples of the type of information that we collect from you and how we use that information.
|Context||Types of Data||Primary Purpose for Collection
and Use of Data
|Client Information||We collect the name, username, and contact information, of our clients and their employees with whom we may interact.||We have a legitimate interest in contacting our clients and communicating with them concerning normal business administration such as projects, services, and billing.|
|Client User Account information||We collect personal data from our clients when they create an account to access and use the Services or request certain free Services from our Website. This information could include business contact information such as name, email address, title, company information, industry, and password for our services.||We have a legitimate interest in providing account-related functionalities to our users, monitoring account log-ins, and detecting potential fraudulent logins or account misuse. Additionally, we use this information to fulfill our contract to provide you with Services.|
|Contact Information of vendors||Users of our service may ask their vendors or service providers to submit company and security-related information on our platform (e.g., to complete a security questionnaire). When a user invites a vendor we collect the name and email address of the vendor.||We have a legitimate interest in contacting vendors on behalf of our clients in order to invite them to communicate with companies through our platform. Among other things, the communication allows our clients to efficiently solicit, and receive, security questionnaires, and allows vendors to efficiently solicit, and transmit security questionnaires. Additionally, we use this information to fulfill our contract to provide services which may include soliciting, receiving, transmitting, and hosting responses to security questions.|
|Account Information – Vendors||We collect personal data from vendors when they create an account to access and use the Services or request certain free Services from our Website. This information could include business contact information such as name, email address, title, company information, and password for our services.||We have a legitimate interest in providing account related functionalities to our vendor-users, monitoring account log-ins, and detecting potential fraudulent logins or account misuse. Additionally, in some cases, we use this information to fulfill our contract to provide vendor-users with Services.|
|Email Interconnectivity||If you receive email from us, we use certain tools to capture data related to when you open our message, click on any links or banners it contains and make purchases.||We have a legitimate interest in understanding how you interact with our communications to you.|
|Employment||When you apply for a job posting, or become an employee, we collect information necessary to process your application or to retain you as an employee. This may include, among other things, your Social Security Number. Providing this information is required for employment.
We collect personal data from you contained in any inquiry you submit to us regarding our Website or Services, such as completing our online forms, calling, or emailing for the purposes of general inquiries, support requests, or to report an issue. When you communicate with us over the phone, your calls may be recorded and analyzed for training, quality control and for sales and marketing purposes. During such calls we will notify you of the recording via either voice prompt or script.
When you subscribe to one of our mailing list(s), we collect your email address or postal address.
We collect information from your mobile device when visiting our Website. Such information may include operating system type and/or mobile device model, browser type, domain, and other system settings, the language your system uses and the country and time zone of your device, geo-location, unique device identifier and/or other device identifier, mobile phone carrier identification, and device software platform and firmware information.
|We have a legitimate interest in identifying unique visitors, and in understanding how users interact with us on their mobile devices.|
|Website interactions||We use technology to monitor how you interact with our website. This may include which links you click on, or information that you type into our online forms. This may also include information about your device or browser.||We have a legitimate interest in understanding how you interact with our website to better improve it, and to understand your preferences and interests in order to select offerings that you might find most useful. We also have a legitimate interest in detecting and preventing fraud.|
|Web logs||We collect information, including your browser type, operating system, Internet Protocol (IP) address (a number that is automatically assigned to a computer when the Internet is used), domain name, click-activity, referring website, and/or a date/time stamp for visitors.||We have a legitimate interest in monitoring our networks and the visitors to our websites. Among other things, it helps us understand which of our services is the most popular.|
In addition to the information that we collect from you directly, we may also receive information about you from other sources, including third parties, business partners, our affiliates, or publicly available sources. For example, if you submit a job application, or become an employee, we may conduct a background check.
Use and Processing of Personal Information
In addition to the purposes and uses described above, we use information in the following ways:
- To identify you when you visit our websites.
- To provide our Services.
- To improve our Services and offerings.
- To promote the security of our Website and Services.
- To conduct analytics.
- To respond to inquiries related to support, employment opportunities, or other requests.
- To send marketing and promotional materials including information relating to our products, services, sales, or promotions, or those of our business partners.
- For internal administrative purposes, as well as to manage our relationships.
Although the sections above describe our primary purpose in collecting your information, in many situations we have more than one purpose. For example, if you sign up for Services, we may collect your information to complete that transaction, but we also collect your information as we have a legitimate interest in maintaining your information after your transaction is complete so that we can quickly and easily respond to any questions about your Services. As a result, our collection and processing of your information is based in different contexts upon your consent, our need to perform a contract, our obligations under law, and/or our legitimate interest in conducting our business.
Sharing of Information
In addition to the specific situations discussed elsewhere in this policy, we may share personal information in the following situations:
- Affiliates and Acquisitions. We may share information with our corporate affiliates (e.g., parent company, sister companies, subsidiaries, joint ventures, or other companies under common control). If another company acquires, or plans to acquire, our company, business, or our assets, we will also share information with that company, including at the negotiation stage.
- Other Disclosures with Your Consent. We may ask if you would like us to share your information with other unaffiliated third parties who are not described elsewhere in this policy.
- Other Disclosures without Your Consent. We may disclose information in response to subpoenas, warrants, or court orders, or in connection with any legal process, or to comply with relevant laws. We may also share your information in order to establish or exercise our rights, to defend against a legal claim, to investigate, prevent, or take action regarding possible illegal activities, suspected fraud, safety of person or property, or a violation of our policies, or to comply with your request for the shipment of products to or the provision of services by a third-party intermediary.
- Public. Some of our websites may provide the opportunity to post comments, or reviews, in a public forum. If you decide to submit information on these pages, that information may be publicly available.
- Service Providers. We share your information with service providers. Among other things service providers help us to administer our website, send e-mail communications, conduct surveys, provide technical support, detect fraud, process payments, and assist in the fulfillment of orders. Our service providers will be given access to your personal information as is reasonably necessary to provide the Website and related Services. Our service providers are contractually obligated to use your personal information only at our direction and in accordance with our Privacy Notice; to handle your personal information in confidence; and to not disclose your personal information to unauthorized third parties. Service providers who violate these obligations are subject to appropriate discipline including, but not limited to, termination as a service provider.
Except as otherwise stated in this Privacy Notice, we do not sell, trade, rent or otherwise share for marketing purposes your Personal Data with third parties without your consent.
Retention of Your Personal Information
The length of time for which we retain personal information depends on the purposes for which we collected and use it and/or as required to comply with applicable laws. Where there are technical limitations that prevent deletion or anonymization, we safeguard personal information and limit active use of it.
See the Section “Your Choices” about storage of your personal information.
How We Protect Your Personal Information
We implement security measures designed to protect your personal information from unauthorized access. We apply these tools based on the sensitivity of the personal information we collect, use, and store, and the current state of technology. We protect your personal information through technical and organizational security measures to minimize risks associated with data loss, misuse, unauthorized access, and unauthorize disclosure and alteration. We periodically review our information collection, storage and processing practices, including technical and organizational measures, to guard against unauthorized access to systems. Your account is protected by your account password and we urge you to take steps to keep your personal information safe by not disclosing your password and by logging out of your account after each use.
Because the internet is not a completely secure environment, PandaDoc cannot warrant the security of any information you transmit to PandaDoc or guarantee that information on the Website may not be accessed, disclosed, altered and/or destroyed by breach of any of our physical, technical and/or managerial safeguards. In addition, while we take reasonable measure to ensure that service providers keep your information confidential and secure, such service provider’s practices are ultimately beyond our control.
We are not responsible for the functionality, privacy and/or security measures of any other organization. By using our Website, you acknowledge that you understand and agree to assume these risks. You may ask for a list of technical and organizational measures taken to protect your personal data by e-mailing us at: firstname.lastname@example.org.
You may take the below actions to change or limit the collection or use of your personal information.
Promotional Emails. You may choose to provide us with your email address for the purpose of allowing us to send free newsletters, surveys, offers, and other promotional materials to you, as well as targeted offers from third parties. You can stop receiving promotional emails by following the unsubscribe instructions in e-mails that you receive. If you decide not to receive promotional emails, we may still send you service related communications.
Online Tracking. We do not currently recognize automated browser signals regarding tracking mechanisms, which may include “Do Not Track” instructions.
Device and Usage Information. If you do not want us to see your device location, you can turn off location sharing on your device, change your device privacy settings, or decline to share location on your browser.
Closing Your Account. If you wish to close your account, please log in to your account and edit your plan.
Your Privacy Rights
Under the GDPR, EU residents have the existence of certain choices with respect to their personal information. You can make the following choices regarding your personal information:
Access to Your Personal Information. You may request access to your personal information by contacting us at the address described below. If required by law, upon request, we will grant you reasonable access to the personal information that we have about you. We will provide this information in a portable format, if required. Note that California residents may be entitled to ask us for a notice describing what categories of personal information (if any) we share with third parties or affiliates for direct marketing.
Changes to Your Personal Information. We rely on you to update and correct your personal information. Our website(s) allow you to modify or delete your account profile. If our website does not permit you to update or correct certain information, you may contact us at the address described below in order to request that your information by modified. Note that we may keep historical information in our backup files as permitted by law.
Deletion of Your Personal Information. Typically, we retain your personal information for the period necessary to fulfill the purposes outlined in this notice, unless a longer retention period is required or permitted by law. You may, however, request information about how long we keep a specific type of information, or request that we delete your personal information by contacting us at the address described below. If required by law we will grant a request to delete information, but you should note that in many situations we must keep your personal information to comply with our legal obligations, resolve disputes, enforce our agreements, or for another one of our business purposes.
Complaints and Objections to Certain Processing. We are committed to resolving valid complaints about your privacy and our collection or use of your personal information. For questions or complaints regarding our data use practices or Privacy Notice please contact us at email@example.com .
Revocation of Consent. If you revoke your consent for the processing of personal information then we may no longer be able to provide you services. In some cases, we may limit or deny your request to revoke consent if the law permits or requires us to do so, or if we are unable to adequately verify your identity. You may revoke consent to processing (where such processing is based upon consent) by contacting us at the address described below.
You may exercise these rights by contacting us at firstname.lastname@example.org.
We will respond to any such request in a timely manner as specified by the GDPR. If we need more time to fulfill your request, we will let you know in advance. We will not exceed the legally specified time limit under any circumstance.
Note that, as required by law, we will require you to prove your identity. We may verify your identity by phone call or email. Depending on your request, we will ask for information such as your name or other account information. We may also ask you to provide a signed declaration confirming your identity. Following a request, we will use reasonable efforts to supply, correct or delete personal information about you in our files.
In some circumstances, you may designate an authorized agent to submit requests to exercise certain privacy rights on your behalf. We will require verification that you provided the authorized agent permission to make a request on your behalf. You must provide us with a copy of the signed permission you have given to the authorized agent to submit the request on your behalf and verify your own identity directly with us. If you are an authorized agent submitting a request on behalf of an individual you must attach a copy of the following information to the request:
- A completed, signed Authorized Agent Designation form indicating that you have authorization to act on the consumer’s behalf.
- If you are a business, proof that you are registered with the Secretary of State to conduct business in California.
If we do not receive both pieces of information, the request will be denied.
Other Important Information
The following additional information relates to our privacy practices:
International Data Transfers. Our company operates globally and has a global infrastructure. We utilize cloud computing which means your personal data may be transferred to a country with data protection laws not as strong as where you reside. We will transfer your Personal Data to countries deemed having adequate levels of data protection as determined by the European Commission.
If we share your personal information with entities located in the United States or other non-EEA jurisdictions which, according to the European Commission, do not offer an adequate level of protection to personal information we will rely on a variety of methods for lawful cross-border transfers. We may implement specific contracts, approved by the European Commission, which ensure the same protection to personal information as granted in the EEA, or other appropriate solutions to address cross-border transfers as required or permitted by Articles 46 and 49 of the GDPR. Where required by such laws, you may request a copy of the suitable mechanisms we have in place by contacting us.
EU-/Swiss-U.S. Privacy Shield Frameworks Participation. In addition to the mechanisms set out above, we were previously certified to the EU-US Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the EU to the United States. However, as of July 16, 2020 the Court of Justice of the European Union (CJEU) invalidated the EU-US Privacy Shield, and we can no longer rely on our EU-US Privacy Shield Framework certification for transfers of personal information from the European members countries to the US. Instead, we rely on other appropriate safeguards recognized by the GDPR to effectuate such transfers set out above. We will continue to apply the Privacy Shield Principles to the personal information that we received from the European member states prior to July 16, 2020.
Our participation in and certification of our compliance with the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework is set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries, the United Kingdom, and Switzerland transferred to the United States pursuant to Privacy Shield. By participating in the Privacy Shield Frameworks, we agreed to subject our compliance to the regulatory enforcement of the Federal Trade Commission (“FTC”) or any other statutory body empowered to enforce compliance with the Principles.
If there is any conflict between the policies in this Privacy Notice and data subject rights under the Privacy Shield Principles, the Privacy Shield Principles shall govern in relation to us. On a case-by-case basis, we will comply with certain lawful requests to disclose personal information from public authorities, including to meet national security or law enforcement requirements. To learn more about the Privacy Shield program, and to view our certification page, please visit https://www.privacyshield.gov/.
Our contractual accountability for personal information we receive under the Privacy Shield and subsequently transfer to a third party is described in the Privacy Shield Principles. In particular, we remain responsible and liable under the Privacy Shield Principles if third-party agents that we engage to process personal information on our behalf do so in a manner inconsistent with the Principles, unless we prove that we are not responsible for the event(s) giving rise to the damage.
Children and Minors. PandaDoc does not knowingly collect personal data from children under the age of thirteen (13). If we learn that we have collected Personal Information from a child under age thirteen (13), we will delete such information as quickly as possible. If you believe that a child under the age of thirteen (13) may have provided us Personal Information, please contact us at: privacy@PandaDoc.com. By using the Website, you represent that you are at least eighteen (18) years old and understand that you must be at least eighteen (18) years old in order to create an account and/or purchase the goods and/or services through the Website.
Third Party Websites and Services. We have no control over the privacy practices of websites or applications that we do not own. We are not responsible for the practices employed by any websites and/or services linked to and/or from our Website, including the information and/or content contained therein. Please remember that when you use a link to go from our Website to another website and/or service, our Privacy Notice does not apply to such third-party websites and/or services. Your browsing and interaction on any third-party website and/or service, including those that have a link on our Website, are subject to such third-party’s own rules and policies. In addition, you agree that we are not responsible and do not have control over any third-parties that you authorize to access your personal data. If you are using a third-party website and/or service and you allow them to access your personal data, you do so at your own risk.
Accessibility. If you are visually impaired, you may access this notice through your browser’s audio reader.
Changes to our Privacy Notice
In general, changes will be made to this Privacy Notice to address new or modified laws and/or new or modified business procedures. However, we may update this Privacy Notice at any time, with or without advance notice, so please review it periodically. We may provide you additional forms of notice of modifications and/or updates as appropriate under the circumstances. Your continued use of the Website after any modification to this Privacy Notice will constitute your acceptance of such modifications and/or updates. You can determine when this Privacy Notice was last revised by referring to the date it was last “Updated” above.
For questions or complaints regarding our use of your personal information or Privacy Notice, please contact us at: email@example.com or PandaDoc, Inc., Attention: Privacy Department, 3739 Balboa St. #1083, San Francisco, CA 94121.
California Privacy Notice Addendum
YOUR CALIFORNIA PRIVACY RIGHTS
This section applies only to California residents. Under California Civil Code Sections 1798.83-1798.84, California residents are entitled to receive: (a) information identifying any third-party companies to whom PandaDoc may have disclosed Personal Information to for direct marketing, within the past year; and (b) a description of the categories of Personal Information disclosed. To obtain such information, please email your request to firstname.lastname@example.org and we will provide a list of categories of Personal Information disclosed within thirty (30) days after receiving such a request. This request may be made no more than once per calendar year. We reserve the right not to respond to requests submitted in ways other than those specified above.
PERSONAL INFORMATION WE COLLECT AND HOW WE COLLECT IT
We collect the type of information described in this California Privacy Notice Addendum and in the Privacy Notice, which includes Personal Information, in the manner described herein and in the Privacy Notice. “Personal Information” means information that identifies, relates to, or could reasonably be linked directly or indirectly with a particular California resident, including without limitation information that identifies or could reasonably be linked, directly or indirectly, with a particular consumer or device. Personal Information does not include (i) publicly available information from government records; (ii) deidentified or aggregated consumer information; or (iii) information excluded from the scope of the California Consumer Privacy Act (“CCPA”) such as health and medical information. If you do not provide the information that we ask for, we may not be able to provide you with the requested services.
We collect Personal Information for the business purposes described in our Privacy Notice. The CCPA defines a “business purpose” as the use of Personal Information for the business’s operational purposes, or other notified purposes, provided the use of Personal Information is reasonably necessary and proportionate to achieve the operational purpose for which the Personal Information was collected or another operational purpose that is compatible with the context in which the Personal Information was collected.
The categories of other individuals or entities with whom we may share your Personal Information are listed in our Privacy Notice under “Sharing of Information”.
We have collected the following categories of Personal Information within the last twelve (12) months:
|Identifiers.||First name, last name, postal address, unique personal identifier, online identifier, internet protocol address, email address, email data, website usage data, account name, or other similar identifiers.|
|Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)).||First name, last name, postal address, unique personal identifier, online identifier, internet protocol address, email address, email data, website usage data, account name, financial information, or other similar identifiers.
Note, some personal information included in this category may overlap with other categories.
|Commercial information.||Records of services purchased.|
|Internet or other similar network activity.||Browsing history, search history, information on a consumer’s interaction with our website.|
|Geolocation data.||Physical location via internet protocol address.|
|Professional or employment-related information.||Current or past job history or performance evaluations, background information.|
USE OF PERSONAL INFORMATION
For more information about how we collect your Personal Information, please see the “Types of Information We Collect” and “Use and Processing Your Information” sections of our Privacy Notice.
SHARING PERSONAL INFORMATION
We share Personal Information as further described in the “Sharing of Information” section of the Privacy Notice. We also disclose the categories of third-parties to whom we disclosed Personal Information for business purposes is described in the same section.
RIGHTS OF CALIFORNIA RESIDENTS
If you are a California resident, the CCPA provides you with specific rights regarding your Personal Information, subject to certain exceptions. For instance, we cannot disclose specific pieces of Personal Information if the disclosure would create a substantial, articulable, and unreasonable risk to the security of the Personal Information, your account with us, or the security of our network systems. These rights are explained below:
- Right Against Discrimination. You have the right not to be discriminated against for exercising any of the rights described in this section. We will not discriminate against you for exercising your right to know, delete or opt-out of sales.
- Right to Access. You have the right to request that we disclose certain information to you about our collection and use of your Personal Information over the past twelve (12) months. PandaDoc will provide personal information to a consumer upon request a maximum of two times in a 12-month period. Once we receive and confirm your verifiable consumer request, we will disclose the following to you: (i) the categories of Personal Information we collected about you; (ii) the categories of sources for the Personal Information we collected about you; (iii) the business purpose for collecting (or selling, if applicable) the Personal Information; (iv) the categories of third parties with whom we share such Personal Information; and (v) the specific information we collected about you.
- Right to Delete. You have the right to request that we delete any of your Personal Information we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete and will direct our service providers to delete your Personal Information from our records, unless an exception applies. Keep in mind, we may deny your request if it is necessary for us or our service providers to: (i) complete the transaction for which we collected the personal information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, fulfill the terms of a written warranty or product recall conducted in accordance with federal law, or otherwise perform services pursuant to our contract with you; (ii) detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities; (iii) debug our website and/or identify and repair errors that impair existing intended functionality; (iv) exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law; (v) comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.); (vi) engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent; (vii) enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us; (viii) make other internal and lawful uses of that information that are compatible with the context in which you provided it; or (xi) comply with a legal obligation.
- Right to Opt-Out of Selling. You have the right to opt-out of having your Personal Information sold. PandaDoc does not sell Personal Information for monetary or other valuable consideration.
REQUEST FOR INFORMATION
Pursuant to Section 1798.83 of the California Civil Code (California’s “Shine the Light” law), residents of California have the right to request from a business, with whom the California resident has an established business relationship, certain information with respect to the types of personal information the business shares with third-parties for such third-parties’ direct marketing purposes and the identities of the third-parties with whom the business has shared such information during the immediately preceding twelve (12) month period.
VERIFICATION ON CONSUMER REQUEST AND TIMELINE
To assert your right to know, to access, or to delete your Personal Information, please contact us as set forth below.
To confirm your identity, It is imperative that we verify the consumer request and so you must provide information that allows us to reasonably verify that you are the person about whom we collected the Personal Information or are an authorized representative. If you make a request on behalf of another person, we will need to verify that you have the authority to do so. You must also describe the request with sufficient detail that allows us to properly understand, evaluate and respond to such request. We cannot respond to your request or provide you with Personal Information if we cannot verify your identity or authority to make the request and confirm the Personal Information relates to you. We will not honor your request if an exception to the law applies.
We will respond to requests within forty-five (45) days after our receipt of such verifiable request (or within such other time as required by applicable law). If we need additional time, we will notify you in writing prior to the expiration of the forty-five (45) day period and inform you of the reason for an additional forty-five (45) day extension of time. For the avoidance of doubt, any such requests for Personal Information will cover the twelve (12) month period immediately preceding the date of such verifiable request. A disclosure of Personal Information in response to such a request will be provided in a commonly used format. For more information about requests, please see the “Your rights and controlling your personal information” section of the Privacy Notice.
Send us an email at email@example.com or you can also send a request in writing to PandaDoc, Inc., Attention: Privacy Department, 3739 Balboa St. #1083, San Francisco, CA 94121 to exercise any of the foregoing.