OVERVIEW

Capillary Technologies provides enterprise Software-as-a- Service (“SaaS”) solutions for clients to manage their loyalty program delivering personalized experiences, email & cross- channel messaging, and loyalty strategies at scale (the “Services”)

This Capillary Services Privacy Notice exists to provide details regarding the Processing of Personal Data Related to Services provided by Capillary entities (referred to as “Capillary,” “we,” “us” or “Our”).

Capillary takes data privacy and security seriously.

We are certified for the following standards:

1. ISO27001:2022
2. SOC2 Type 2 for trust services criteria of:
   1. Security
   2. Confidentiality
   3. Availability
   4. Privacy
3. SOC1 Type 2 for trust services criteria of:
   1. Internal controls over financial reporting
4. PCI DSS 4.0

From a privacy standpoint, we adhere to all the privacy regulations of the regions we operate in.

This Privacy Notice explains how we collect, use, disclose, retain, and protect the personal information in our care. This includes information collected through our platform login portals, and when we are providing you, our Services.

Capillary is a provider of loyalty & customer engagement solutions (products & services) in Business to Business (B2B) space. Companies (referred to as “Customers”) use these solutions to reward, engage and drive advocacy with their end consumers (referred to as “End users”). The personalized engagement with end users is done through electronic messaging channels (email, SMS, social media, push notifications etc.) as well as their own websites, landing pages, and other technologies to improve their business.

Definitions we will use in this notice

Identifier	Description	Capillary context
Personal Data	Personal data or personal information means any information relating to an identified or identifiable individual	Corresponds to data of Capillary’s employees, customer’s employees and end users who use Capillary services. This may include user name, email address, phone number, etc.
Data Subject / Data Owner	Individual to whom the personal data belongs to. His/her consent determines the way his/her personal data is processed	These are End users who use Capillary customer’s services
Data Controller	Determines the need and ways to collect personal data of Data Subject and capture the required consent from the Data Subject to provide them the required services	These are Capillary’s customers
Data Processor	Process the personal data authorized by the Data Controller in the way the Data Controller determines.	Capillary perform this function
Sub Processor	Process the personal data in the way authorized by Data Processor in consultation with Data Controller	Capillary may outsource this function to other organizations

Information we collect, process, store & retention

Collection

Capillary is a Data Processor and on behalf of our customers who are the Data Controllers, we store the personal data of End users which is collected directly or indirectly by them. As our customers are the Data Controllers, they determine the purpose, type & amount of Personal Data to be collected from the End Users. Also, our customers ensure to get the required Consent from the end users for collecting & utilizing the Personal Data for the purposes they have determined. We, as a Data Processor ensure safe keeping of the collected Personal Data at all times & utilize them in the way our customers have defined.

We may collect telemetric data like IP address, location, device information etc. to provide the required services to our customers.

Process

Capillary processes the Personal Data shared by our customers who are the Data Controllers in the way they have determined. The Personal Data is analyzed to provide insights to our customers to enhance their business using our products. Analysis of Personal data might involve anonymization, pseudonymization or aggregation (“De-Identified Data”) to provide services agreed with our customers which is consistent with the consent obtained by our customers from the End Users.

Capillary analyzes the Personal Data to provide our customers the ability to perform targeted marketing, upsell or cross-sell their products which will enhance the business options of our customers.

Store

Capillary stores the Personal Data safely & securely using industry standard best practices. The Personal Data is stored encrypted with strict access control enforced. Access & transmission of Personal Data is through encrypted channels only.

Retention

Capillary stores the Personal Data as long as the contract with our customer is in force. With the termination of contract with the customer, the Personal data is deleted within the agreed time period as specified in the contract.

Children data

Our customers are responsible to ensure that their data collection practices comply with applicable children’s data privacy protection legislation such as United States’ Children’s Online Privacy Protection Act ( COPPA) applicable in their jurisdiction of their operations, including acquiring parental consent where applicable. We rely on our customers to disclose whether they collect any Children data and whether they are subjected to COPPA or any applicable regulations.

Data Subject rights

We adhere to the exercise of Data subject rights such as Right to Erasure/forgotten, Right to Information, etc., mandated by all data privacy laws that are applicable to the regions we operate in. We receive requests to exercise these rights in two ways i.e. either from our customers or from the End Users directly. When we receive the request from our customer, we perform the required action as directed by them as long as it is technically feasible and will not affect the services being offered.

If we receive the request directly from the End User, we forward the request to our customer for them to validate the request and based on their feedback, take appropriate action as long as it is technically feasible and will not affect the services being offered.

The most common set of Data Subject rights across data privacy laws applicable in the regions we operate that are allowed through procedure detailed above are the following:

1. Allow End user to access their personal data stored with us to review what personal information about them has been captured and if required, request for change or update details or deletion of the data stored
2. Allow End user to request to restrict the ways the their personal data is processed
3. Allow End user to withdraw their consent for processing of their personal data
4. Allow End user to opt out of sale of their personal data

Disclosure of information

We may disclose Personal Data to our contractors, service providers, parties authorized by our customers who are the Data Controller or other third parties who provide data processing services to us like process billing, to analyze data, host data, to provide customer support, etc either as one-time or scheduled activity. We perform a strict security risk assessment of the third parties with whom we share Personal Data to ensure they comply with all the required regulations before getting into a contract with them.

If we are involved in a merger or acquisition or dissolution or sale of all or partial assets, we may transfer the processing of personal data to them after providing due notice to our customers.

If law enforcement agencies or any government bodies reach out to us through a valid & binding order to disclose Personal Data of End Users, we will promptly redirect them to our customers. In case we are compelled to provide the information asked, we will promptly notify our customer to seek any legal remedy and if that fails, we will share only the bare minimum Personal Data.

Data transfer

Processing may occur in any jurisdiction in which Capillary is established, including the United States, United Kingdom, South East Asia, India and Middle East. Our contractors, service providers and other third parties who provide data processing services to us may process Personal Data in additional jurisdictions. The actual locations of processing depend on the Customer’s implementation of the Services.

Data selling

Capillary doesn’t sell or rent any customer data to any third parties.

Data ownership

Capillary has no rights or ownership of Personal data of End Users shared by our customers who are the Data Controllers.

Data breach

Upon being aware of a personal data breach, Capillary will promptly inform the customer with sufficient information for them to fulfill obligatory reporting to concerned authorities or to Data Subjects.

Capillary will cooperate with the customer in investigating & remediating the personal data breach.

Capillary will also provide the required assistance to the customers if they are investigating a personal data breach incident at their end.

Changes to this Privacy Notice

We may revise this notice from time to time in response to changing legal, technical or business developments. The most current version of this notice will govern our use of Personal Data. We will take appropriate measures to keep our customers informed when we update our Privacy Notice.

Contact

Please direct any questions, comments or concerns regarding this Privacy Notice to Guardians@capillarytech.com