2. What we do
We provide a platform that lets you integrate and automate the software you use via APIs. While we’re based in the United States, we also have a wholly owned UK subsidiary (Plan.nr Ltd). Our staff in both countries work harmoniously together to provide our service and develop the platform.
Our UK subsidiary is our EU GDPR representative. Contact and registration details for both the US and our UK subsidiary are available at the bottom of this policy.
3. How we protect your personal data
We understand the importance of the data we collect on our customers, and the sensitivity of what our customers may want to use our platform for. We therefore take full precautions and provide full transparency of how we do this. See our security page at https://tray.io/trust for information on how we safeguard your data and the compliance certifications we maintain.
4. What we do with your data
Website visitors and Cookies
When you visit our website, we’ll place tracking cookies on your device for a number of reasons. Please see which cookies we place and why at https://tray.io/cookies.
If you have expressed an interest in our products or platform, or you have signed up for an account, we may use the contact information you provided to better understand how we can tailor the service to you and better inform our sales team.
- Your contact information may be shared with 3rd party services for the purpose finding additional public data about you to aid our sales team or to provide a more tailored service. These 3rd parties act as data processors and will only be allowed to process this data based on our instructions for the purposes stated above.
- If you create an account with us, we may need extra personal data to ensure the security of your account. You may be asked to create a password which will not be viewable by us or provide an access token which won’t be usable by us.
- We may use your phone number or your email address to send direct or marketing emails in order to contact you about the use of the service or to promote services that we feel you will be interested in.
- Phone calls may be recorded for staff training or sales quality purposes.
The lawful basis for processing the personal data of Tray users is for the legitimate interest of our business. We will only process personal data in ways that our customers would expect of us in order to provide the service they’ve expressed interest in.
If you do not continue to become a customer of ours, then we will delete your data 1 year after signing up or expressing interest with us.
If you’re a customer and have a contract with us or are potentially going to become one, in addition to using your data in the ways mentioned above as a Tray user, we’ll need to collect data to process payments, provide support and monitor your usage of our services.
- This is to ensure you’re receiving the level of service you expect, to help us develop our platform even further or to do what’s necessary for you to become a customer of ours.
- 3rd party services may be used to aid this, such as customer support services like Intercom, payment services like Stripe or Mixpanel to learn how you use our services.
- Whilst using our services, you may transfer personal data into our platform so that you can take advantage of our API automation. In order to do this, we’re likely to require authentication data like usernames, passwords, tokens. Authorised support staff are only able to view and use this data, with your permission, to provide support to your service.
The lawful basis for processing the personal data of Tray customers is for the performance of the contract we have in place, or in order to enter into a contract.
Most personal data will be deleted 1 month after you end your contract with us. However other non-sensitive personal data may be stored for up to 1 year after you end your contract with us. Data required for legal purposes, such as accounting data, will be stored for as long as legally required.
Sharing of data with 3rd parties
Like many companies, we use a number of 3rd party services to help us provide the service you expect. Whilst these services may require your personal data, we only allow these services to use it under strict conditions and we perform adequate due diligence on these companies and the countries they operate in.
5. International transfers
Tray is a global company. We’re headquartered in the US and we have an office in the UK. We therefore may transfer personal data outside of the country it was collected in or outside of the European Economic Area ("EEA").
All international transfers are performed under the strict safeguards mentioned on our security page at https://tray.io/trust. When transferring personal data outside of the EEA, we comply with the applicable legal requirements of providing adequate safeguards.
We are EU-U.S. Privacy Shield certified and our UK subsidiary is GDPR compliant. The same high standards of data protection and data privacy required by the GDPR are implemented throughout our company.
Whenever we transfer personal data out of the European Economic Area (EEA), we will comply with applicable data protection law.
EU-U.S. Privacy Shield
Tray is responsible for the processing of personal data it receives under the Privacy Shield and subsequently transfers to a third party acting as an agent on its behalf. Tray complies with the Privacy Shield Principles for all onward transfers of personal data from the EU, including the onward transfer liability provisions.
In compliance with the Privacy Shield Principles, Tray commits to resolve complaints about our collection or use of your personal information. European Union individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Tray at: firstname.lastname@example.org or by mail to Tray.io, inc, 1161 Mission Street, San Francisco, CA 94103, United States.
Tray commits to cooperate with the panel established by the EU data protection authorities (DPAs) and comply with the advice given by the panel with regard to data transferred from the EU. This independent dispute resolution body is designated to address complaints and provide appropriate recourse free of charge. Under certain conditions, more fully described on the Privacy Shield website, you may be entitled to invoke binding arbitration when these dispute resolution procedures have been exhausted.
6. What rights you have over your personal data
As the owner of your personal data, you have the right to:
- View, restrict the processing or update any personal data we hold about you. A lot of this data can be viewed, updated and exported if you login at https://app.tray.io. For any additional data, please contact us.
- Erase any personal data that is not required for a legal or contractual reason.
- Remove yourself from marketing by clicking the opt-out link at the bottom of any marketing email.
The data controller is Tray.io, inc, 25 Stillman Street, San Francisco, CA 94107, United States.
Our UK subsidiary and EU representative for the GDPR is Plan.nr Ltd, 9th Floor, 107 Cheapside, London, EC2V 6DN, UK.
Should you wish to file a complaint regarding our use of your personal data, the supervisory authority for the UK is the Information Commissioner’s Office and can be reached at https://ico.org.uk.
This policy will be kept up-to-date inline with our processes. Minor amendments may be added to this policy without notice, whereas we will inform our customers of any significant changes. It was last updated on 5 September 2018.