What we do
We provide a platform that allows you to connect and automate the APIs that you use. Whilst we’re based in the United States, we also have a wholly owned UK subsidiary (Plan.nr Ltd). Our staff in both countries work harmoniously together to provide our service and develop the platform.
Our UK subsidiary is our EU GDPR representative. Contact and registration details for both the US and our UK subsidiary are available at the bottom of this policy.
How we protect your personal data
We understand the importance of the data we collect on our customers and sensitivity of what our customers may want to use our platform for. We therefore take maximum precautions and provide full transparency of how we do this. See our security page at https://tray.io/trust for information on how we safeguard your data and the compliance certifications we maintain.
What we do with your data
Website visitors and Cookies
When you visit our website, we’ll place tracking cookies on your device for a number of reasons. Please see which cookies we place and why at https://tray.io/cookies.
Tray Platform users
If you have expressed an interest in our products or platform, or you have signed up for an account, we may use the contact information you provided to better understand how we can tailor the service to you and better inform our sales team.
- Your contact information may be shared with 3rd party services for the purpose of finding additional public data about you to aid our sales team or to provide a more tailored service. These 3rd parties act as data processors and will only be allowed to process this data based on our instructions for the purposes stated above.
- If you create an account with us, we may need extra personal data to ensure the security of your account. You may be asked to create a password which will not be viewable by us or provide an access token which won’t be usable by us.
- We may use your phone number or your email address to send direct or marketing emails in order to contact you about the use of the service or to promote services that we feel you will be interested in.
- Phone calls may be recorded for staff training or sales quality purposes.
The lawful basis for processing the personal data of Tray Platform users is for the legitimate interest of our business. We will only process personal data in ways that our customers would expect of us in order to provide the service they’ve expressed interest in.
If you do not continue to become a customer of ours, then we will delete your data 1 year after signing up or expressing interest with us.
Tray Platform customers
If you’re a customer and have a contract with us or are potentially going to become one, in addition to using your data in the ways mentioned above as a Tray Platform user, we’ll need to collect data to process payments, provide support and monitor your usage of our services.
- This is to ensure you’re receiving the level of service you expect, to help us develop our platform even further or to do what’s necessary for you to become a customer of ours.
- 3rd party services may be used to aid this, such as customer support services like Intercom, payment services like Stripe, or Mixpanel to learn how you use our services.
- Whilst using our services, you may transfer personal data into our platform so that you can take advantage of our API automation. In order to do this, we’re likely to require authentication data like usernames, passwords, tokens. Authorised support staff are only able to view and use this data, with your permission, to provide support to your service.
The lawful basis for processing the personal data of Tray Platform customers is for the performance of the contract we have in place, or in order to enter into a contract.
Most personal data will be deleted 1 month after you end your contract with us. However other non-sensitive personal data may be stored for up to 1 year after you end your contract with us. Data required for legal purposes, such as accounting data, will be stored for as long as legally required.
Sharing of data with 3rd parties
Like many companies, we use a number of 3rd party services to help us provide the service you expect. Whilst these services may require your personal data, we only allow these services to use it under strict conditions and we perform adequate due diligence on these companies and the countries they operate in.
Tray.io is a global company. We’re headquartered in the US and we have an office in the UK. We therefore may transfer personal data outside of the country it was collected in or outside of the European Economic Area ("EEA").
All international transfers are performed under the strict safeguards mentioned on our security page at https://tray.io/trust. When transferring personal data outside of the EEA, we comply with the applicable legal requirements of providing adequate safeguards.
We are EU-U.S. and Swiss-U.S. Privacy Shield certified and our UK subsidiary is GDPR compliant. The same high standards of data protection and data privacy required by the GDPR are implemented throughout our company.
Whenever we transfer personal data out of the European Economic Area (EEA), we will comply with applicable data protection law.
EU-U.S. Privacy Shield
In compliance with the Privacy Shield Principles, Tray.io commits to resolve complaints about our collection or use of your personal information. EU and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Tray.io at: firstname.lastname@example.org or by mail to Tray.io, Inc. 25 Stillman Street, San Francisco, CA 94107, United States.
Tray.io has further committed to refer unresolved Privacy Shield complaints to JAMS, an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please visit https://www.jamsadr.com/eu-us-privacy-shield for more information or to file a complaint. The services of JAMS are provided at no cost to you.
Under certain conditions, and as a last resort, it may be possible for you to invoke binding arbitration for complaints regarding Privacy Shield compliance not resolved by any of the other Privacy Shield mechanisms. For additional information, see the U.S. Department of Commerce’s Privacy Shield Framework: Annex I (Binding Arbitration).
The Federal Trade Commission has jurisdiction over Tray.io’s compliance with the Privacy Shield. Tray.io is required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
What rights you have over your personal data
As the owner of your personal data, you have the right to:
- View, restrict the processing or update any personal data we hold about you. A lot of this data can be viewed, updated and exported if you login at https://app.tray.io. For any additional data, please contact us.
- Erase any personal data that is not required for a legal or contractual reason.
- Remove yourself from marketing by clicking the opt-out link at the bottom of any marketing email.
The data controller is Tray.io, inc, 25 Stillman Street, San Francisco, CA 94107, United States.
Our UK subsidiary and EU representative for the GDPR is Plan.nr Ltd, 9th Floor, 107 Cheapside, London, EC2V 6DN, UK.
Should you wish to file a complaint regarding our use of your personal data, the supervisory authority for the UK is the Information Commissioner’s Office and can be reached at https://ico.org.uk.
This policy will be kept up-to-date inline with our processes. Minor amendments may be added to this policy without notice, whereas we will inform our customers of any significant changes. It was last updated on 20 August 2019.