Privacy Notice

Updated: October 28, 2020

About Us

We are a global company based in San Francisco, California, USA. We provide documentation automation software as a service that helps companies streamline processes to create, approve and eSign proposals, quotes, contracts and other documents. Companies that use our services can provide their customers with a more professional, timely and engaging experience.

About this Privacy Notice

This Privacy Notice sets forth the handling practices of PandaDoc, Inc. (variously, “PandaDoc”, “we”, “our” or “us”) in regard to the collection, usage and disclosure of personal and/or corporate information that you may provide to us through using this website (www.pandadoc.com), or by using any product or service provided by PandaDoc (the “Website”).
If you do not accept this Privacy Notice and/or do not meet and/or comply with the provisions set forth herein, then you should not use our Website.

Contacting Us

We may be contacted in the following ways:

E-mail: privacy@pandadoc.com

Physical address:
PandaDoc, Inc.
Attention: Privacy Department
3739 Balboa St. #1083
San Francisco, CA 94121

Changes to our Privacy Notice

In general, changes will be made to this Privacy Notice to address new or modified laws, changes to ‘EU-US Privacy Shield Framework’ and/or new or modified business procedures. However, we may update this Privacy Notice at any time, with or without advance notice, so please review it periodically.

We may provide you additional forms of notice of modifications and/or updates as appropriate under the circumstances. Your continued use of the Website after any modification to this Privacy Notice will constitute your acceptance of such modifications and/or updates. 

You can determine when this Privacy Notice was last revised by referring to the date it was last “Updated” above.

About this Privacy Notice

Personal Data

“Personal Data” is any information relating to an identified or identifiable individual; meaning, information that could be used, on its own or in conjunction with other data, to identify an individual. We may ask for certain Personal Data from you for the purpose of providing you content and/or services that you request.

We collect Personal Data such as your: (i) contact information (including name, address and email); (ii) financial information (such as credit card number, expiration date, verification number and billing address); (iii) contact information of your company and/or other identity information you share with us (including industry or profession); (iv) location information (such as geographic location of the device you are using); and/or (v) preferences and feedback.

By registering, you are authorizing us to collect, store and use your email address, and other such information you provide during registration, in accordance with this Privacy Notice. 

Once you register, you have opted in to receive electronic communications from PandaDoc. If you use an external application accounts (like ‘Google’) to sign into the Website, we will collect and store your user identification information (“ID”). The privacy practices of external applications and websites are set forth in their privacy policies, and PandaDoc has no control over the use of your ID by such parties. 

PandaDoc may also provide you with the opportunity to participate in surveys through our Website. If you participate, we will request certain Personal Data. 

Participation in surveys is completely voluntary and you therefore have a choice whether to disclose such information.

Non-Personal Information

“Non-Personal Information” is general user information that does not contain personally identifiable information, which is collected on an aggregate basis as you use our Website. We collect Non-Personal Information such as:

Purposes of Processing

General Use

We may share your Personal Data to fulfill the purposes for which you provide it, for any other purposes disclosed by us when you provide the Personal Data, with your consent, and/or to third parties designated by you.

Except as otherwise stated in this Privacy Notice, we do not sell, trade, rent or otherwise share for marketing purposes your Personal Data with third parties without your consent. For example, we may use your Personal Data to:

The information collected in the aggregate enables PandaDoc to better understand your use of the Website and to enhance your enjoyment. We may use financial information to process payment for any purchases made on the Website, enroll you in one of our accounts and/or other related services in which you elect to participate. If you use the Website, you agree to receive certain communications from us including but not limited to the following:

Special Offers, Newsletters and Updates. We will occasionally send you information on products, special deals, promotions, and newsletters. You can sign up for these emails from us at any time on our website. Out of respect for your privacy, you may elect not to receive these types of communications by changing your account setting through the Website.

Customer Service. Based upon the personally identifiable information you provide us, we will communicate with you in response to your inquiries, to provide the services you request and to manage your account. We will communicate with you by email or telephone, as you may elect.

Supplementation of Information. In order to process your credit card orders, we use a third-party provider to validate and verify your account information. All billing and account information is transmitted via https, which is a secure encrypted protocol system.

Legal Basis of Processing

We rely on a variety of bases for processing your personal data in a fair and legal manner. We will not rely on a single basis. We will use any of the following bases, depending on how we use your personal data:

Recipients or Categories of Recipients of Data

We may share Personal Data and User Content with:

We may rely upon vendors, contractors, or agents (collectively, “Service Providers”) to provide servers for our e-mail communications which we use to communicate with you. We may also use Service Providers to help us authenticate systems and detect fraud.

Our Service Providers will be given access to your Personal Data as is reasonably necessary to provide the Website and related products and/or services. 

We strive to use appropriate technical and organizational measures to protect your Personal Data. If Service Providers acquire confidential or proprietary information belonging to PandaDoc or its customers, such information is required to be handled in confidence and may not be disclosed to unauthorized third parties.

Our Service Providers are contractually obligated to use your Personal Data only at our direction and in accordance with our Privacy Notice.

Service Providers who violate our security and safe maintenance of data policies are subject to appropriate discipline including, but not limited to, termination. Certain Service Providers will automatically collect non-identifying information about your use of our Website by using cookies and other technologies as similarly used by PandaDoc.

We also may be required to disclose an individual’s Personal Data in response to a lawful request by public authorities, including to meet national security or law enforcement requirements.

For example, we will disclose your Personal Information in the following circumstances: (i) to investigate and defend PandaDoc members against any third- party claims and/or allegations and/or otherwise to protect PandaDoc from liability, (ii) to investigate, prevent and/or take action regarding suspected and/or actual illegal activities, (iii) to assist government enforcement agencies, respond to a legal process and/or comply with the law, (iv) to exercise or protect the rights, property and/or personal safety of the users of the Website, and/or (v) to protect the security and/or integrity of the Service. 

In response to a verified request by law enforcement or other government officials relating to a criminal investigation or alleged illegal activity, we can (and you authorize us to) disclose your name, city, state, telephone number, email address, user ID history, fraud complaints, and usage history, without a subpoena, in connection with an investigation of fraud, intellectual property infringement, piracy, and/or other unlawful activity.

International Data Transfers

Our company operates globally and has a global infrastructure. We utilize cloud computing which means your Personal Data may be transferred to a country with data protection laws not as strong as where you reside.

We will transfer your Personal Data to countries deemed having adequate levels of data protection as determined by the European Commission. For those countries that do not have adequate levels of protection as determined by the European Commission, we will rely on a variety of methods for lawful cross-border transfers.

We may utilize Standard Contractual Clauses (or Model Clauses) in contracts with third-parties in these countries. Standard Contractual Clauses provide additional contractual guarantees around transfers of Personal Data.

In addition to our commitments under the Standard Contractual Clauses and other Model Clauses, we are certified to the EU-US Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the EU to the United States. Our participation in the Privacy Shield applies to Personal Data that is received from the EU, European Economic Area, and Switzerland. We also abide by Swiss data protection law regarding the processing of personal data from the European Economic Area and Switzerland. PandaDoc has certified that it adheres to the ‘EU-US and Swiss-US Privacy Shield Principles’ of notice, choice, accountability for onward transfer, security, data integrity and purpose limitation, access, and recourse, enforcement and liability as set forth by the US Department of Commerce.

On July 16, 2020, the Court of Justice of the European Union (CJEU) invalidated the EU-US Privacy Shield in Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems (Schrems II). We anticipate receiving further guidance from the EU supervisory authorities on how to comply with the new data transfer regime after the Schrems II decision, including what supplementary measures may become necessary. We will continue to monitor forthcoming announcements to stay up to date.

To learn more about the Privacy Shield program, and to view our certification page, please visit https://www.privacyshield.gov/.

Security

We implement security measures designed to protect your Personal Data from unauthorized access. Your account is protected by your account password and we urge you to take steps to keep your Personal Data safe by not disclosing your password and by logging out of your account after each use.

We periodically review our information collection, storage and processing practices, including technical and organizational measures, to guard against unauthorized access to systems.

We further protect your Personal Data from potential personal data breaches by implementing certain technological measures including encryption, firewalls, and secure socket layer technology.

Because the internet is not a completely secure environment, PandaDoc cannot warrant the security of any information you transmit to PandaDoc or guarantee that information on the Website may not be accessed, disclosed, altered and/or destroyed by breach of any of our physical, technical and/or managerial safeguards. In addition, while we take reasonable measure to ensure that Service Providers keep your information confidential and secure, such Service Provider’s practices are ultimately beyond our control. 

We are not responsible for the functionality, privacy and/or security measures of any other organization. By using our Website, you acknowledge that you understand and agree to assume these risks.

You may ask for a list of technical and organizational measures taken to protect your personal data by e-mailing us at: privacy@pandadoc.com

Data Retention

We will retain Personal Data we process on behalf of our customers as needed to provide the services they request. Also, we will retain this Personal Data only as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.

Data Subject Access Rights

Under the GDPR, EU residents have the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability.

We will do this in a timely manner as specified by the GDPR. If we need more time to fulfill your request, we will let you know in advance. We will not exceed the legally specified time limit under any circumstance.

You may exercise these rights by contacting us as follows:

E-mail: privacy@pandadoc.com

Complaints

The GDPR allows EU citizens to file a complaint to a supervisory authority if they feel that their rights and freedoms have been violated. While we hope that you would work with us to resolve your issue, you may also file a complaint to the applicable supervisory authority through this link:

https://edpb.europa.eu/about-edpb/board/members_en

PandaDoc has further committed to refer unresolved privacy complaints under the Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU PRIVACY SHIELD. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbb.org/EU-privacy-shield/for-eu-consumers for more information and to file a complaint. This service is provided free of charge to you.

If your Privacy Shield complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See Privacy Shield Annex 1 at https://www.privacyshield.gov/article?id=ANNEX-I-introduction

We will continue to monitor further guidance with regard to the EU/US Privacy Shield after the decision in the Schrems II case (see “International Data Transfers” above).

Automated Decision Making and Profiling

Our company does not use your personal data for automated decision making or profiling. An example of this is when you apply for a bank loan. Some companies may use an algorithm or automated process to decide about your loan. Again, this does not apply to our organization or the use of your personal data.

Children and Minors

PandaDoc does not knowingly collect Personal Data from children under the age of thirteen (13). If we learn that we have collected Personal Information from a child under age thirteen (13), we will delete such information as quickly as possible. If you believe that a child under the age of thirteen (13) may have provided us Personal Information, please contact us at: privacy@PandaDoc.com.

By using the Website, you represent that you are at least eighteen (18) years old and understand that you must be at least eighteen (18) years old in order to create an account and/or purchase the goods and/or services through the Website.

Other websites and services

We are not responsible for the practices employed by any websites and/or services linked to and/or from our Website, including the information and/or content contained therein. Please remember that when you use a link to go from our Website to another website and/or service, our Privacy Notice does not apply to such third-party websites and/or services. Your browsing and interaction on any third-party website and/or service, including those that have a link on our Website, are subject to such third-party’s own rules and policies. In addition, you agree that we are not responsible and do not have control over any third-parties that you authorize to access your Personal Data. If you are using a third-party website and/or service and you allow them to access your Personal Data, you do so at your own risk.

California Privacy Notice Addendum

Your California Privacy Rights

Under California Civil Code Sections 1798.83-1798.84, California residents are entitled to receive: (a) information identifying any third-party companies to whom PandaDoc may have disclosed Personal Information to for direct marketing, within the past year; and (b) a description of the categories of Personal Information disclosed. To obtain such information, please email your request to privacy@pandadoc.com and we will provide a list of categories of Personal Information disclosed within thirty (30) days after receiving such a request. This request may be made no more than once per calendar year. We reserve the right not to respond to requests submitted in ways other than those specified above.

Personal information we collect and how we collect it

We collect the type of information described in this California Privacy Notice Addendum and in the Privacy Notice, which includes Personal Information, in the manner described herein and in the Privacy Notice. “Personal Information” means information that identifies, relates to, or could reasonably be linked directly or indirectly with a particular California resident, including without limitation information that identifies or could reasonably be linked, directly or indirectly, with a particular consumer or device. Personal Information does not include (i) publicly available information from government records; (ii) deidentified or aggregated consumer information; or (iii) information excluded from CCPA’s scope such as health and medical information. If you do not provide the information that we ask for, we may not be able to provide you with the requested services.

Personal Information may be collected from you (directly or indirectly) or you may provide such Personal Information when you contact us, visit our website, and/or engage us to provide services. This California Privacy Notice Addendum and the Privacy Notice explain our practices for collecting, using, sharing, maintaining, protecting, and disclosing such information.

We have collected the following categories of Personal Information within the last twelve (12) months:

Category Information
Identifiers. First name, last name, postal address, unique personal identifier, online identifier, internet protocol address, email address, email data, website usage data, account name, or other similar identifiers.
Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)). First name, last name, postal address, unique personal identifier, online identifier, internet protocol address, email address, email data, website usage data, account name, financial information, or other similar identifiers.

Note, some personal information included in this category may overlap with other categories.

Commercial information. Records of services purchased.
Internet or other similar network activity. Browsing history, search history, information on a consumer’s interaction with our website.
Geolocation data. Physical location via internet protocol address.
Professional or employment-related information. Current or past job history or performance evaluations.

Use of personal information

For more information about how the Personal Information (as defined in the Privacy Notice) we collect and how we collect it, please see the “Information We Collect” and “How We Use and Share Information” sections of our Privacy Notice.

Sharing personal information

We share Personal Information as further described in the “How We Use and Share Information” section of the Privacy Notice. We also disclose the categories of third-parties to whom we disclosed Personal Information for business purposes is described in the “Whom We Share Your Information With” of the Privacy Notice.

Rights of California residents

The CCPA provides California residents with specific rights regarding their Personal Information. You have the following rights that may be exercised as further described below:

Access and data portability rights

You have the right to request that we disclose certain information to you about our collection and use of your Personal Information over the past twelve (12) months. You may make such request for access or data portability twice within twelve (12) month period. Once we receive and confirm your verifiable consumer request, we will disclose the following to you: (i) the categories of Personal Information we collected about you; (ii) the categories of sources for the Personal Information we collected about you; (iii) the business purpose for collecting (or selling, if applicable) the Personal Information; (iv) the categories of third parties with whom we share such Personal Information; and (v) the specific information we collected about you.

Request for information

Pursuant to Section 1798.83 of the California Civil Code (California’s “Shine the Light” law), residents of California have the right to request from a business, with whom the California resident has an established business relationship, certain information with respect to the types of personal information the business shares with third-parties for such third-parties’ direct marketing purposes and the identities of the third-parties with whom the business has shared such information during the immediately preceding twelve (12) month period.

Deletion requests

Pursuant to the CCPA, you have the right to request that we delete any of your Personal Information we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete and will direct our service providers to delete your Personal Information from our records, unless an exception applies. Keep in mind, we may deny your request if it is necessary for us or our service providers to: (i) complete the transaction for which we collected the personal information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, fulfill the terms of a written warranty or product recall conducted in accordance with federal law, or otherwise perform services pursuant to our contract with you; (ii) detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities; (iii) debug our website and/or identify and repair errors that impair existing intended functionality; (iv) exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law; (v) comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.); (vi) engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent; (vii) enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us; (viii) make other internal and lawful uses of that information that are compatible with the context in which you provided it; or (xi) comply with a legal obligation.

Opt-out and opt-in rights for sale of personal information

In the past twelve (12) months we have not sold Personal Information to a third-party for monetary or other valuable consideration. If you are sixteen (16) years of age or older, you have the right to direct us not to sell your Personal Information at any time by contacting us at privacy@pandadoc.com or by sending a request in writing to:

PandaDoc, Inc.
Attention: Privacy Department
3739 Balboa St. #1083
San Francisco, CA 94121

In the event you make the foregoing request, we will wait at least twelve (12) months thereafter to request that you opt-in to the sale of Personal Information (should we change our practices in the future and desire to do so). Please note, you do not need to create an account with us or engage us to provide services to exercise your opt-out rights. We will only use the Personal Information and other data in the opt-out request to review and comply with the request.

Verification on consumer request and timeline

It is imperative that we verify the consumer request and so you must provide information that allows us to reasonably verify you are the person about whom we collected the Personal Information or an authorized representative. If you make a request on behalf of another individual, we will need to verify that you have the authority to do so. You must also describe your request with sufficient detail that allows us to properly understand, evaluate and respond to such request. We cannot respond to your request or provide you with Personal Information if we cannot verify your identity or authority to make the request and confirm the Personal Information relates to you. We will not honor your request if an exception to the law applies.

We will try and respond to requests within forty-five (45) days after our receipt of such verifiable request (or within such other time as required by applicable law). If we need additional time, we will notify you in writing and inform you of the reason for the extension of time. For the avoidance of doubt, any such requests for Personal Information will cover the twelve (12) month period immediately preceding the date of such verifiable request. We will provide such information in a commonly used format. We will not discriminate against you for exercising your rights under the CCPA. For more information about requests, please see the “Your rights and controlling your personal information” section of the Privacy Notice.

Send us an email at privacy@pandadoc.com or you can also send a request in writing to PandaDoc, Inc., Attention: Privacy Department, 3739 Balboa St. #1083, San Francisco, CA 94121 to exercise any of the foregoing rights, as applicable.