Privacy Policy for users of the Ideas by Sideways 6 app for Microsoft Teams

I am:

• A member of staff at a company running idea campaigns using Ideas by Sideways 6
• A Teams user who has installed the Ideas by Sideways 6 app without an organisational Sideways 6 platform licence

Different information applies to the above two groups. Please click the one that applies to be redirected to the correct part of the policy.

Privacy Policy for users participating in idea campaigns

At Sideways 6, we treat your privacy seriously and only use your personal data to allow you to participate in idea campaigns run using the Sideways 6 platform, administer your account, give you product support as needed, and improve the Sideways 6 product.

We encourage you to read this page thoroughly and contact us at privacy@sideways6.com in case of any queries.

We are Sideways 6 Ltd, the makers of the Ideas by Sideways 6 app for Microsoft Teams. You, the user of the app, are the data subject, and we act as the data processor. Your employer is the data controller.

We are processing your personal data on the basis of your consent. If we did not request consent, it was because you already gave consent for it to be collected and used in the course of your employment, or processing your data is necessary for the performance of your employment contract. This constitutes lawful basis for processing under the GDPR.

Sideways 6 has been certified by BSI to ISO/IEC 27001 under certificate number IS 719021. By operating our Information Security Management System and applying industry best practices, we ensure your personal data is protected from loss, disclosure to inappropriate persons, and unavailability.

Your personal data is stored encrypted on Microsoft Azure servers and is always transferred securely, protecting you against data breaches and disruption. The location of these servers varies depending upon our agreement with your employer. If you are unsure as to which data centres are being used for your data, please contact Sideways 6 support.

You have given your employer some data that is stored in their Azure Active Directory account. We collect the following Azure AD data from all participants (people that have submitted an idea through the app’s form, posted into a tracked channel or team, reacted to a tracked post, commented, or reacted to a comment) of idea management campaigns that include a Teams integration:

• Company email address
• First and last names
• Link to the employee’s Teams user profile and the associated User ID
• Any other personal data if revealed in employee posts or comments on Teams that are collected by ideas campaigns

This data is used to:

• Identify you and allow your employer to run ideation and innovation campaigns
• Personalise your Ideas by Sideways 6 experience by letting you save your preferences
• Send you automated and manual communications
• Request and collect more information about submitted ideas
• Allow your employer to run analytics on the performance of their idea campaigns
• Generate product usage analytics to improve your Ideas by Sideways 6 experience
• Meet audit log requirements set out in our agreement with your employer
• Provide product support when requested and notify you of any disruption

We will keep your personal data for the whole length of the engagement between your employer and Sideways 6, and up to 30 days thereafter. It is then deleted or anonymised.

To further process your data, we use third party product support and analytics tools like Intercom to enable us to react to Sideways 6 platform users’ questions and issues and continually improve the user experience. We host our platform and all data on third-party Microsoft Azure servers as well as use their Text Analytics API.

We use the following sub-processors to process your personal data:

• Microsoft Azure for IaaS cloud hosting and text analytics, covering all personal data processed as above. The Sideways 6 platform is run at the West Europe Microsoft Azure location. Data is also stored in the West Europe Microsoft Azure location in the Netherlands by default and does not leave the EU, but this may be changed to a different Azure Location on customer request. International data transfer bases are therefore dependent on the storage location chosen. The Azure Online Services Terms, however, incorporate the Standard Contractual Clauses. Microsoft Azure holds a number of security certifications and attestations, including ISO 27001.
• Intercom for providing product support via in-app chat and email. Name and surname, email, and job title are processed. We also use Intercom to collect product feedback, serve Product Tours, and contact users to request feedback on existing and future functionality. Data is processed in the US and transferred under Standard Contractual Clauses, which form part of the Data Processing Addendum signed by both Sideways 6 and Intercom. Intercom hold a SOC 2 Type II attestation.
• Twilio SendGrid for sending out emails from the Sideways 6 platform. Name, surname, and email are processed. Data is processed in the US and transferred under Standard Contractual Clauses, which are part of the Data Protection Addendum, incorporated into the Twilio Terms of Service by reference. SendGrid hold a SOC 2 Type II attestation.
• Mixpanel for product analytics and insights in our Ideas by Sideways 6 Teams App and the core Sideways 6 platform. Name, surname, and email are the personal data processed. Data is hosted in the US, may be accessed in the US, EU, and elsewhere, and is transferred under Standard Contractual Clauses, which are part of the Data Protection Addendum, incorporated into the Mixpanel Terms of Use by reference. Mixpanel hold a SOC 2 Type II attestation.

At the moment, Sideways 6 does not carry out any profiling in relation to campaign participants.

Under the General Data Protection Regulation, you have a right to:

• Be notified within 72 hours of a data beach concerning your data. We will notify our customers within 12 hours if we discover a data breach to allow them to inform the relevant data subjects in a timely manner.
• Access what and how your personal data is being processed and request a copy of it. You can do this by contacting us at privacy@sideways6.com.
• Be forgotten if your data is no longer relevant to its original purpose. For such requests, you may contact us at privacy@sideways6.com.
• Get a copy of your data that we store in a portable (easy to use elsewhere) format. We can provide a copy of the data in XLS/CSV format if requested at privacy@sideways6.com.
• Have a record of your personal data be corrected in case of errors or inaccuracies. To do this, you may contact your (potentially former) employer directly, Sideways 6 Support, or privacy@sideways6.com.
• Complain to the GDPR supervisory authority appointed by your EU member state or the UK if you believe your rights are being encroached.

We will respond to a data subject access request within one calendar month.

We do not process or control data belonging to special categories, like health information or political views, unless manifestly revealed by the employee as part of their campaign activity to the internal public, which is an exception that allows for processing them under the GDPR.

The California Consumer Privacy Act takes the position that consumers own their data and provides them with five general rights regarding their PII. California-based consumers therefore have the right to:

• Know what personal information is collected about them.
• Know whether and to whom their personal information is sold/disclosed, and to opt-out of its sale, where sale means any transfer in exchange for a monetary or other compensation. We will never sell your data.
• Access their personal information that has been collected over the last 12 months. Once the request is made, businesses must disclose the requested information free of charge within 45 days. We can provide a copy of the data in XLS/CSV format if requested at privacy@sideways6.com.
• Have a business delete their personal information, excluding information under legal hold (until the matter is adjudicated or until the hold is released) and for information that must be retained per legal or regulatory recordkeeping requirements. If a data deletion request is made by emailing privacy@sideways6.com, we will delete all data that pertains to you not related to the subject your employment or as is otherwise legally required.
• Not be discriminated against for exercising their rights under the CCPA.

Privacy Policy for users of Ideas by Sideways 6 without a licence

At Sideways 6, we treat your privacy seriously and only use your personal data to contact you about implementing Sideways 6 in your organisation. You can ask us to stop processing your data at any point.

We encourage you to read this page thoroughly and contact us at privacy@sideways6.com in case of any queries.

We are Sideways 6 Ltd, the makers of the Ideas by Sideways 6 app for Microsoft Teams. You, the Teams user who installed Ideas by Sideways 6 into your Teams organisation without having an organisational Sideways 6 licence, are the data subject. Sideways 6 Ltd is the data controller for your personal data.

We are processing your personal data on the basis of your consent to be contacted. This constitutes lawful basis for processing under the GDPR.

Sideways 6 has been certified by BSI to ISO/IEC 27001 under certificate number IS 719021. By operating our Information Security Management System and applying industry best practices, we ensure your personal data is protected from loss, disclosure to inappropriate persons, and unavailability.

Your personal data is stored encrypted in our Azure tenant on Microsoft Azure servers and/or in our HubSpot account, and is always transferred securely, protecting you against data breaches and disruption.

We collect the following data about you:

• Company email address
• First and last names
• Phone number if provided
• Professional social networking profile if provided

This data is used to:

• Contact you about implementing Sideways 6 in your organisation
• Track our interactions with you

We will keep your personal data for 5 years or until you ask us to delete it, whichever is earlier.

To further process your data, we use third party product support and analytics tools like Intercom to continually improve the user experience. We host our platform and all data on third-party Microsoft Azure servers as well as use their Text Analytics API.

We may use the following sub-processors to process your personal data:

• Microsoft Azure for IaaS cloud hosting and text analytics, covering all personal data processed as above. The Sideways 6 platform is run at the West Europe Microsoft Azure location. Data is also stored in the West Europe Microsoft Azure location in the Netherlands by default and does not leave the EU, but this may be changed to a different Azure Location on customer request. International data transfer bases are therefore dependent on the storage location chosen. The Azure Online Services Terms, however, incorporate the Standard Contractual Clauses. Microsoft Azure holds a number of security certifications and attestations, including ISO 27001.
• Intercom for providing product support via in-app chat and email. Name and surname, email, and job title are processed. We also use Intercom to collect product feedback, serve Product Tours, and contact users to request feedback on existing and future functionality. Data is processed in the US and transferred under Standard Contractual Clauses, which form part of the Data Processing Addendum signed by both Sideways 6 and Intercom. Intercom hold a SOC 2 Type II attestation.
• Mixpanel for product analytics and insights in our Ideas by Sideways 6 Teams App and the core Sideways 6 platform. Name, surname, and email are the personal data processed. Data is hosted in the US, may be accessed in the US, EU, and elsewhere, and is transferred under Standard Contractual Clauses, which are part of the Data Protection Addendum, incorporated into the Mixpanel Terms of Use by reference. Mixpanel hold a SOC 2 Type II attestation.
• Sideways 6 Development OOO, a fully owned subsidiary of Sideways 6 Ltd for providing product support including investigation of issues, in the course of which all personal data listed above may be accessed.
  Data is transferred outside the EU under Standard Contractual Clauses, and our remote team and London offices share the same company policies, ensuring that Sideways 6 Development is bound by the same information security and data privacy obligations as the parent company. All operations undergo ISO 27001 audits regularly as part of our certification programme.

At the moment, Sideways 6 does not carry out any profiling in relation to your data.

Under the General Data Protection Regulation, you have a right to:

• Be notified within 72 hours of a data beach concerning your data. We will notify our customers within 12 hours if we discover a data breach to allow them to inform the relevant data subjects in a timely manner.
• Access what and how your personal data is being processed and request a copy of it. You can do this by contacting us at privacy@sideways6.com.
• Be forgotten if your data is no longer relevant to its original purpose. For such requests, you may contact us at privacy@sideways6.com.
• Get a copy of your data that we store in a portable (easy to use elsewhere) format. We can provide a copy of the data in XLS/CSV format if requested at privacy@sideways6.com.
• Have a record of your personal data be corrected in case of errors or inaccuracies. To do this, you may contact your (potentially former) employer directly, Sideways 6 Support, or privacy@sideways6.com.
• Complain to the GDPR supervisory authority appointed by your EU member state or the UK if you believe your rights are being encroached.

We will respond to a data subject access request within one calendar month.

We do not process or control data belonging to special categories, like health information or political views.

The California Consumer Privacy Act takes the position that consumers own their data and provides them with five general rights regarding their PII. California-based consumers therefore have the right to:

• Know what personal information is collected about them.
• Know whether and to whom their personal information is sold/disclosed, and to opt-out of its sale, where sale means any transfer in exchange for a monetary or other compensation. We will never sell your data.
• Access their personal information that has been collected over the last 12 months. Once the request is made, businesses must disclose the requested information free of charge within 45 days. We can provide a copy of the data in XLS/CSV format if requested at privacy@sideways6.com.
• Have a business delete their personal information, excluding information under legal hold (until the matter is adjudicated or until the hold is released) and for information that must be retained per legal or regulatory recordkeeping requirements. If a data deletion request is made by emailing privacy@sideways6.com, we will delete all data that pertains to you not related to the subject your employment or as is otherwise legally required.
• Not be discriminated against for exercising their rights under the CCPA.