Last Updated: Sept 17 2021
Instructions: This template reflects the generic use and disclosure of personal information that is collected from the individuals online, through websites, web-based forms, web-based applications etc., as well as individual rights with respect to personal information collected by the organization.
This template should be customized with your company’s information and specific circumstances (as it covers GDPR and CCPA, among other legislations). Once finalized, this policy should be presented to individuals through highly visible links placed on each web page or online application page where they enter personal information (after obtaining legal advice independently).
The Policy should be updated at least once every 12 months and should record the last review and/or update date.
Ten Thousand Coffees is a technology company virtually headquartered, which focuses on providing services to deliver Developmental Experiences at scale.
For more information about our services, please refer to our website:
Clients contract the use of our Application and give access to their employees and other third parties, as solely decided by them, by creating users who access the Application with their email address and credentials. The Clients’ administrators grant End Users roles, which result in different permissions and access rights to the information held in the Client account.
We may ask you to provide personal information when:
If you choose to provide us with a third party’s Personal Information (the person’s name, email and company) when taking part in our referral program, you represent that you have the third party’s permission to do so.
The personal information we collect may include first and last name, business email address, phone number, company name.
As an End User of the Application, we collect your name, business email address and any comments you make in the Application.
As a Job Applicant, we may also collect your resume and cover letter.
We collect information about your visits to the Website and the Application when you land on any of our web pages through cookies and similar tracking technology.
The information collected includes:
We may also collect information when you open email messages from us or click on links within those email messages.
We use your Personal Information to:
We do not sell your information to any third party.
If you are an End User of our Application, your personal information may be viewed by other users with access to the Application.
We use third parties to help us provide our Services. They will have access to your information as collected by the Website or the Application, as reasonably necessary to perform the contracted tasks on our behalf. We sign contractual agreements to obligate them to protect the personal information, to only use it to deliver the contracted services to us, to prohibit them from selling it and not to disclose it without our knowledge and permission.
San Francisco, San Francisco.
Google Cloud Platform
Sunnyvale, California, USA
API Server Hosting, Log Aggregation, Static Asset Hosting
Google Cloud + GSuite Terms
Sunnyvale, California, USA
Business Tools, Cloud Identity
Google Cloud + GSuite Terms
San Francisco, USA
New York, NY United States
HA Database Deployment and Management
Mongodb Atlas Terms
San Francisco, California, United States
SendGrid (subsidiary of Twilio)
Denver, Colorado, United States
Transactional Email Service, Behaviour Email Service
Cambridge, Massachusetts, United States
Transactional Email Service, Behaviour Email Service
It is possible that we may need to disclose personal information when required by law, subpoena, or other legal processes as identified in the applicable legislation.
We attempt to notify our clients about legal demands for their personal data when appropriate in our judgment unless prohibited by law or court order or when the request is an emergency.
We can also share your personal data as part of a sale, merger or change in control or in preparation for any of these events.
We are committed to protecting the security of all of the personal information we collect and use.
We use a variety of physical, administrative and technical safeguards designed to help protect it from unauthorized access, use and disclosure. We have implemented best-practice standards and controls in compliance with internationally recognized security frameworks. We use encryption technologies to protect data at rest and in transit.
We provide the same suite of Services to all of our Clients and End-Users worldwide.
We offer the following rights to all individuals regardless of their location or applicable privacy regulations.
For personal information we have about you, you can:
You have the right to obtain information about what personal information we process about you or to obtain a copy of your personal information.
If you have provided personal information to us, you may contact us to obtain an outline of what information we have about you or a copy of the information.
If you are an End User of the Application, you can log in to see the personal information in the account or approach your employer for more information.
You have the right to update/correct your personal information or ask us to do it on your behalf.
You can edit your information through the user account in the Application or ask us to change or correct it by contacting us at firstname.lastname@example.org.
You have the right to request deletion of your personal information at any time. We will communicate back to you within reasonable timelines the result of your request. We may not be able to delete or erase your personal information, but we will inform you of these reasons and any further actions available to you.
You have the right to object to our processing of your personal information for direct marketing purposes. This means that we will stop using your personal information for these purposes.
You may have the right to ask us to limit the way that we use your personal information.
You have the right to request that we export to you in a machine-readable format all of the personal information we have about you.
We do not process personal information through the use of automated means.
If you would like to exercise any of the rights described above, please contact us at email@example.com.
You also have the right to lodge a complaint with the local organizations in charge with enforcing the privacy legislation applicable in your territory.
We retain information as long as it is necessary to provide the Services to you and our Clients, subject to any legal obligations to further retain such information.
We may also retain information to comply with the law, prevent fraud, collect fees, resolve disputes, troubleshoot problems, assist with investigations, enforce our Terms of Service and take other actions permitted by law.
Information connected to you that is no longer necessary and relevant to provide our Services may be de-identified or aggregated with other non-personal data to provide insights which are commercially valuable to Ten Thousand Coffees, such as statistics of the use of the Services.
We process data in locations Google Cloud Platform North America and rely on legally-provided mechanisms to lawfully transfer data across borders, such as contracts incorporating data protection and sharing obligations.
We will only collect and process personal data about you where we have a lawful reason for its collection.
When you visit our Website and provide us with your personal information, we collect and use it with your consent.
As an Application End User, you consent to our collection of your personal information when you log in for the first time. However, your employer has control of the account and may upload and share additional personal information. It is your employer’s responsibility to ensure the collection, use and sharing of the personal information uploaded to the Application complies with all applicable legislation.
You can review the terms and conditions of use here: Terms and Conditions
Where we rely on your consent to process personal data, you have the right to withdraw or decline your consent at any time. If you have any questions about the lawful bases upon which we collect and use your personal data, please contact us at firstname.lastname@example.org.
You may choose to receive or not receive marketing communications from us. To stop receiving marketing communications, please click the “Unsubscribe” link in the email we sent you.
Even if you opt-out of receiving marketing communications, we may still communicate with you in connection with security and privacy issues, servicing your account, fulfilling your requests, or administering any promotion or any program in which you may have elected to participate.
You may contact us to exercise any of your rights or ask for more information about your personal information and our privacy practices by contacting us at email@example.com.
If you are based in one of these jurisdictions, Ten Thousand Coffees is the controller of your personal data collected in the following instances:
Ten Thousand Coffees is a processor of all personal data processed on the Application, on behalf of our Clients. We only process the personal data under their direction. Please contact your employer or the organization that granted you access to the Application for details on their privacy practices.
We only process personal data if we have a lawful basis for doing so. The lawful bases applicable to our processing as controller are:
You have the following rights under the GDPR:
We process personal data in Google Cloud Platform North America Data Centres and share it with our service providers, located in The United States, Canada and other jurisdictions. We use standard contractual clauses as the data transfer mechanism of transferring EU data to countries subject to data transfer requirements. See the table of our service providers here. (link to the table above)
You may contact us at firstname.lastname@example.org or you may contact our EU Data Representative at:
You may also lodge a complaint with your local supervisory authority, EU Data Protection Authorities (DPAs) or Swiss Federal Data Protection and Information Commissioner (FDPIC). See their contact details here National Data Protection Authorities.
This section provides additional specific information for consumers based in California as required by the California Consumer Privacy Act of 2018 (“CCPA”).
In the last 12 months, we have collected the following categories of personal information:
We collect personal information directly from you, from your browser or device when you visit our websites, from third parties that you permit to share your information or from third parties that share public information about you and as stated above.
See the section above, “How we use personal information,” to understand how we use the personal information collected from California consumers.
We share personal information with third parties for business purposes. The categories of third parties to whom we disclose your personal information may include: (i) our service providers and advisors, (ii) marketing and strategic partners; (iii) ad networks and advertising partners; (iv) analytics providers.
As a California resident, you may be able to exercise the following rights in relation to the personal information about you that we have collected (subject to certain limitations at law):
You also have the right to be free of discrimination for exercising these rights.
Please note that if the exercise of these rights limits our ability to process personal information (such as a deletion request), we may no longer be able to provide you with our products and services or engage with you in the same manner.
To exercise your right to know and/or your right to deletion, please submit a request by contacting us at email@example.com.
We will need to verify your identity before processing your request.
In order to verify your identity, we will generally require sufficient information from you so that we can match it to the information we maintain about you in our systems. Sometimes we may need additional personal information from you to be able to identify you. We will notify you.
We may decline a request to exercise the right to know and/or right to deletion, particularly where we are unable to verify your identity or locate your information in our systems or as permitted by law.
You may choose to designate an authorized agent to make a request under the CCPA on your behalf. No information will be disclosed until the authorized agent’s authority has been reviewed and verified. Once a request has been submitted by an authorized agent, we may require additional information (i.e. written authorization from you) to confirm the authorized agent's authority.
If you are an employee/former employee of a Ten Thousand Coffees Client that uses our application and services, please direct your requests and/or questions directly to your employer/former employer.
If you are a third party (auditor, business associate etc.), who was given access to the Ten Thousand Coffees application by a Ten Thousand Coffees Client, please direct your requests and/or questions directly to the Ten Thousand Coffees Client that gave you access.
Our application and services are intended for business use and we do not expect them to be of any interest to minors. We do not intentionally collect any personal information of consumers below the age of 16. We do not sell the personal information of California consumers.
Ten Thousand Coffees was founded on land that is the traditional territory of the Mississaugas of the Credit, the Anishnabeg, the Chippewa, the Haudenosaunee, and the Wendat peoples, and is now home to many diverse First Nations, Inuit, and Metis peoples.