Last Updated: November 14th, 2018
In this day and age, online threats and the harm that results are far too prevalent and wide reaching. Company employees and service providers are often the target of some third party’s malicious acts, which can cause a great deal of damage with relatively minimal effort. Tall Poppy helps to minimize such threats and malicious acts by providing security awareness training delivered in person and/or via the Tall Poppy Site (“Trainings”) that helps employees and service providers stay ahead of the online threats that could harm them (“Threats”), while also providing security incident response services (“Response Services”) to those already harmed by such Threats, in an effort to mitigate the negative effects of security incidents (“Incidents”). We refer to the Trainings and Response Services jointly in this Policy as the “Services”.
Often, we are engaged by companies to provide our Services to company employees and service providers. As such, we collect, manage, and use a wide range of information, both personal and non-personal, as further described herein. We take your privacy very seriously—in fact, your privacy is our business. In this Policy, we describe how we collect, manage, and use your information. In this Policy, we also provide you with information concerning the rights you have over the information that we collect, manage and use. We hope that you take some time to read through this Policy carefully, as it is important. If there are any terms in this Policy that you do not agree with, please discontinue use of our Site and Services.
Please read this Policy carefully as it will help you make informed decisions about sharing your personal information with us.
Information That You Provide To Us And That We Discover About You
We collect personal information that you provide to us, and that any authorized third parties or other sources (such as your employer or the subscriber providing you access to our Site and Services) provide to us. The personal information that we collect from you depends on the context of your interactions with and use of the Site and Services. The personal information we collect may include the following:
Name and Contact Data. We collect your first and last name, email address, postal address, phone number, and other similar contact data.
Threat and Incident Data. Given the nature of the Services we provide, often we must collect information concerning the Incidents or Threats affecting you. Sometimes this information will be data that you share with us in order to help us investigate, and sometimes it will be data that we find online in investigating Incidents or Threats. Each Incident and Threat may involve a wide array of your personal information, such as name, email address, postal address, phone number, similar contact data, account usernames, account passwords, device information, payment information, and otherwise. The reality is that we cannot possibly predict all the types of personal information we may uncover when dealing with an Incident or Threat affecting you.
Credentials. We collect usernames, passwords, password hints, and similar security information used for authentication and account access to the Tall Poppy Site.
Information Automatically Collected
We automatically collect certain information when you visit, use or navigate our Site. This information does not reveal your specific identity (like your name or contact information), but may include device and usage information, such as your IP address, browser and device characteristics, operating system, language preferences, referring URLs, device name, country, location, information about how and when you use our Site and other technical information. This information is primarily needed to maintain the security and operation of our Site, to provide the Services, and for our internal analytics and reporting purposes.
HOW DO WE USE YOUR INFORMATION?
We use personal information that we collect for a variety of purposes described below. We process your personal information for business purposes in reliance on our legitimate business interests ("Business Purposes"), in order to enter into or perform a contract with you ("Contractual"), with your consent ("Consent"), and/or for compliance with our legal obligations ("Legal Reasons"). We indicate the specific processing grounds we rely on next to each purpose listed below. We use the information we collect or receive:
To Facilitate Account Creation And Login [Business Purposes and/or Contractual]. We use personal information that you provide or that is provided to us by third parties (such as the person, business, or organization arranging for you to access the Site or use the Services (e.g., your employer or our subscriber)) in order to create a Site account for your use, provide technical and customer support and training, verify your identity, and send important information concerning your account.
To Provide You Services [Business Purposes and/or Contractual]. We may use your information to facilitate our provision of the Services to you, especially when responding to Threats and Incidents. We also may use your personal information to facilitate the Services and to send you updates concerning Incidents, Threats and other ongoing matters.
Request Feedback [Business Purposes]. We may use your information to request feedback and to contact you about your use and experience with the Site and Services.
To Protect Our Site and Services [Business Purposes and/or Legal Reasons]. We may use your information as part of our efforts to keep our Site safe and secure (Ex: for fraud monitoring and prevention).
To Enforce Our Terms and Policies [Business Purposes, Legal Reasons and/or Contractual]. We may use your personal information to contact you if we suspect that our Terms or any other agreements are being violated.
To Respond To Legal Requests and Prevent Harm [Legal Reasons]. If we receive a subpoena or other legal request, we may need to inspect the data we hold to determine how to respond.
For Other Business Purposes. We may use your information for other Business Purposes, such as data and experience analysis, identifying usage trends, determining the effectiveness of our Site and Services, and to evaluate and improve our Site and Services.
To Send You Marketing And Promotional Communications [Business Purposes and/or Consent]. We and/or our third party marketing partners may use the personal information you send to us for our marketing purposes, if this is in accordance with your marketing preferences. You can opt-out of our marketing emails at any time (see the "Your Privacy Rights" below).
WILL YOUR INFORMATION BE SHARED WITH ANYONE?
We only share and disclose your information in the following situations:
To Help Resolve or Mitigate the Effects of Incidents and Threats. In working to respond to Threats and Incidents, we engage a number of third parties who are skilled at helping to combat the negative effects of Threats and Incidents. As such, we may need to disclose your information to such third parties in furtherance of the Services.
Upon Employer or Subscriber Request. For the purposes of this paragraph, a “Provisioned User” means any person granted access to the Site and Service by his or her employer or any similar third party (such as the person, business, or organization arranging for you to access the Site or use the Services). Please be aware that if you are a Provisioned User, we may disclose to the party that granted you access to the Site and Service aggregate information about Provisioned User behavior such as number of Provisioned User accounts registered with Tall Poppy, number of security actions taken by Provisioned Users, and other metadata about such Provisioned Users. We will not routinely disclose identifying information you share with us in the provision of our services (such as social media account names) back to the party that granted you access to the Site and Service.
Compliance with Laws. We may disclose your information where we are legally required to do so in order to comply with applicable law, governmental requests, a judicial proceeding, court order, or legal process, such as in response to a court order or a subpoena (including in response to public authorities to meet national security or law enforcement requirements).
Vital Interests and Legal Rights. We may disclose your information where we believe it is necessary to investigate, prevent, or take action regarding potential violations of our Terms and policies, suspected fraud, situations involving potential threats to the safety of any person and illegal activities, or as evidence in litigation in which we are involved.
Business Transfers. We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company.
Affiliates. We may share your information with our affiliates, if any, in which case we will require those affiliates to honor this Policy. Affiliates include our parent company and any subsidiaries, joint venture partners or other companies that we control or that are under common control with us.
Business Partners. We may share your information with our business partners to offer you certain products, services or promotions, or to facilitate the Services and the Site. The business partners we use to facilitate the Site and the Services include, Google (Google Analytics and G Suite), Slack, Squarespace, MailChimp and others.
With your Consent. We may disclose your personal information for any other purpose with your consent.
IS YOUR INFORMATION TRANSFERRED INTERNATIONALLY?
Our servers are located in the United States. If you are accessing our Site or utilizing our Services from outside the United States, please be aware that your information may be transferred to, stored, and processed by us in our facilities and by those third parties with whom we may share your personal information. Your information may be shared in many different countries. If you are a resident in the European Economic Area, then some countries to which your data is transferred may not have data protection or other laws as comprehensive as those in your country. We will however take all necessary measures to protect your personal information in accordance with this Policy and applicable law.
WHAT IS OUR STANCE ON THIRD-PARTY WEBSITES?
The Site may contain advertisements from third parties or links to third party content that are not affiliated with us and which may link to other websites, online services or mobile applications. We cannot guarantee the safety and privacy of data you provide to any third parties. Any data collected by third parties is not covered by this Policy. We are not responsible for the content or privacy and security practices and policies of any third parties, including other websites, services or applications that may be linked to or from the Site. You should review the policies of such third parties and contact them directly to respond to your questions.
HOW LONG DO WE KEEP YOUR INFORMATION?
Given the nature of the Services we provide, we may keep your personal information for up to 2 years past the termination of your account or your use of the Services; we may keep your personal information longer if required by law (such as tax, accounting or other legal requirements). When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
HOW DO WE KEEP YOUR INFORMATION SAFE?
We have implemented appropriate technical and organizational security measures designed to protect the security of any personal information we process. However, please also remember that we cannot guarantee that the internet itself is 100% secure. Although we will do our best to protect your personal information, transmission of personal information to and from our Site is at your own risk. You should only access the Site within a secure environment.
DO WE COLLECT INFORMATION FROM MINORS?
We do not knowingly solicit data from or market to children under 18 years of age. By using the Site, you represent that you are at least 18. If we learn that personal information from users less than 18 years of age has been collected, we will deactivate the account and take reasonable measures to promptly delete such data from our records. If you become aware of any data we have collected from children under the age of 18, please contact us at support [at] tallpoppy.io.
WHAT ARE YOUR PRIVACY RIGHTS?
In some regions (like the European Economic Area), you have certain rights under applicable data protection laws. These may include the right (i) to request access and obtain a copy of your personal information, (ii) to request rectification or erasure; (iii) to restrict the processing of your personal information; and (iv) if applicable, to data portability. In certain circumstances, you may also have the right to object to the processing of your personal information. To make such a request, please use the contact details provided below. We will consider and act upon any request in accordance with applicable data protection laws.
If we are relying on your consent to process your personal information, you have the right to withdraw your consent at any time. Please note however that this will not affect the lawfulness of the processing before its withdrawal.
If you are resident in the European Economic Area and you believe we are unlawfully processing your personal information, you also have the right to complain to your local data protection supervisory authority. You can find their contact details here.
You may at any time review or change the information in your account or terminate your account by contacting us using the contact information provided below. Upon your request to terminate your account, we will deactivate or delete your account and information from our active databases. However, some information may be retained in our files to prevent fraud, troubleshoot problems, assist with any investigations, enforce our Terms and/or comply with legal requirements.
Cookies And Similar Technologies
Most web browsers are set to accept cookies by default. If you prefer, you can usually choose to set your browser to remove cookies and to reject cookies. If you choose to remove cookies or reject cookies, this could affect certain features or services of our Site. To opt-out of interest-based advertising by advertisers on our Site visit http://www.aboutads.info/choices/.
Opting Out Of Email Marketing
In the event that we decide to utilize email to market the Site and Services, you can unsubscribe from our email marketing list at any time by clicking on the unsubscribe link in the emails that we send or by contacting us using the details provided below. You will then be removed from the email marketing list. However, we will still need to send you Site and Service related emails that are necessary for the administration and use of your account.
DO WE MAKE UPDATES TO THIS POLICY?
We may update this Policy from time to time. The updated version will be indicated by an updated “Revised” date and the updated version will be effective as soon as it is accessible. If we make material changes to this Policy, we may notify you either by prominently posting a notice of such changes or by directly sending you a notification. We encourage you to review this Policy frequently to be informed of how we are protecting your information.
HOW CAN YOU CONTACT US ABOUT THIS POLICY?
If you have questions or comments about this Policy, email Leigh Honeywell at leigh [at] tallpoppy.io.
or by postal mail to:
Tall Poppy Security, Inc.
340 South Lemon Avenue #6411
Walnut, CA 91789