PRIVACY
Law Enforcement Guidelines
Cookies Notice
Data Processing Agreement
Subprocessors
Privacy Policy
Privacy Commitment
SECURITY
Security Standards
PRIVACY
Privacy Commitment
Jul 24, 2024
Theary is committed to protecting and honoring your global privacy rights. We wanted to share some of the measures Theary has put into place to comply with privacy laws and regulations and to emphasize Theary’s ongoing commitment to privacy.
Ongoing Compliance and Communication
As laws, regulations, and guidance from data protection authorities and regulators continue to evolve and more countries are passing new data protection laws and regulations, we will continue to follow these developments closely and evaluate our program for any changes or enhancements as needed.
We value communication with our customers. If you have any questions about our data protection practices, please contact us at info@theary.com
General Data Protection Regulation
The GDPR is a European law establishing protections for the personal data of EU residents that came into force on May 25, 2018. Under the GDPR, organizations that collect, maintain, use, or otherwise process EU residents’ personal data (regardless of the organization’s location) must implement certain privacy and security safeguards for that data. Theary has established a comprehensive GDPR compliance program and is committed to partnering with its customers and vendors on GDPR compliance efforts. Some significant steps Theary takes to align its practices with the GDPR include:
Revising to our policies and contracts with our partners, vendors, and users as necessary as requirements change
Enhancing to our security practices and procedures
Closely reviewing and mapping the data we collect, use, and share
Creating more robust internal privacy and security documentation
Training employees on global privacy requirements and privacy/security best practices generally
Carefully evaluating and building a data subject rights’ policy and response process
Below, we provide additional details about the core areas of Theary’s GDPR compliance program and how customers can use Theary to support their own GDPR compliance initiatives.
Data Processing Agreements
Under the GDPR, “data controllers” (i.e., entities that determine the purposes and means of processing data) are required to enter into agreements with other entities that process data on their behalf (called “data processors”). Theary offers its customers the option to enter into a Data Processing Addendum under which Theary commits to process and safeguard personal data in accordance with GDPR requirements. This includes Theary’s commitment to process personal data consistent with the instructions of the data controller.
International Data Transfers
EU-US Data Privacy Framework program, the UK Extension to the EU-US DPF, and the Swiss-US Data Privacy Framework
Theary complies with the EU-US Data Privacy Framework program (EU-US DPF), the UK Extension to the EU-US DPF, and the Swiss-US Data Privacy Framework program (Swiss-US DPF) as set forth by the US Department of Commerce.
In compliance with the EU-US DPF, the UK Extension to the EU-US DPF, and the Swiss-US DPF, Theary commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-US DPF, the UK Extension to the EU-US DPF, and the Swiss-US DPF to BBB National Programs, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit please visit the BBB National Programs Dispute Resolution Process web site at https://bbbprograms.org/programs/all-programs/dpf-consumers/ProcessForConsumers for more information or to file a complaint. The services of BBB National Programs are provided at no cost to you.
Please note that if your complaint is not resolved through these channels, under limited circumstances, a binding arbitration option may be available as set forth in Annex I of the DPF Principles. Theary is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC) with respect to its compliance with the provisions of the EU-US DPF, the UK Extension to the EU-US DPF, and the Swiss-US DPF.
Theary will take reasonable and appropriate steps necessary to ensure that any third party who is acting as a “data processor” under EU, UK, and Swiss terminology is processing the personal data we entrust to them in a manner that is consistent with the DPF Principles. Theary is potentially liable in cases of onward transfer to third parties of data of EU, UK, and Swiss individuals received pursuant to the EU-US DPF, the UK Extension to the EU-US DPF, and the Swiss-US DPF, respectively.
If there is any conflict between the terms in this privacy statement and the EU-US DPF Principles and/or the Swiss-US DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
If the EU-US DPF, the UK Extension to the EU-US DPF, and the Swiss-US DPF do not apply, Theary relies on other data transfer mechanisms to transfer personal data outside the EEA, the UK, and Switzerland, such as Standard Contractual Clauses.
Data Access, Management, and Portability Tools
The GDPR gives individual data subjects in certain circumstances the rights to, among other things, access, delete, and make corrections to their personal data. Theary is committed to facilitating data subject requests consistent with the GDPR, as further described in our Privacy Policy.
Privacy Documentation
At its core, the GDPR is focused on transparency, fairness, and accountability. Accordingly, the law requires organizations to maintain documentation about their privacy practices and their decisions about how they handle individuals’ personal data. Theary shares the GDPR’s commitment to these principles and has included within its ongoing GDPR compliance program documentation about its data collection and processing activities, and the various policies and guidelines it follows pursuant to the GDPR. You can learn more about how Theary collects, uses, and discloses personal data by visiting Theary’s Privacy Policy.
Data Security
The GDPR requires organizations to use appropriate technical and organizational measures to protect the security, confidentiality, and integrity of personal data. Security continues to be a priority for Theary. We are working to complete our SOC II Type I audit for controls relevant to security. This means that an independent third party is working to validate our processes, practices, and controls we have implemented. We have likewise implemented a variety of safeguards to protect the security of our platform, including encrypting web connections to protect data transmissions, replicating our databases to support reliability of the platform, and controlling access to our facilities and office network.
Exercising Your Rights Under Relevant Global Privacy Law
If you would like to exercise your rights, please submit your request by completing our Global Data Protection Rights Requests Form. For more information about how Theary provides individual consumers with the ability to access and request deletion of their personal information under CCPA specifically, please see Privacy Information for California Residents of our Privacy Statement.
California Consumer Privacy Act
The CCPA (as amended by CPRA) is a law that provides California consumers certain rights with respect to their personal information. Specifically, the law requires that businesses subject to the statute grant consumers the ability to request access to and deletion of their data, and the ability to opt out of certain types of disclosures of their personal information. The law also restricts how service providers that process personal information on behalf of a business may use that information.
Where a business subject to the CCPA has entered into a services or subscription agreement with Theary, Theary will act as a service provider to that business. Specifically, Theary will process such customers’ personal information only for the purposes set forth in the applicable agreement and will cooperate with customers to fulfill their obligations with respect to deletion or access requests.
CCPA Data Processing Addendum
Theary has updated its Data Processing Addendum to specifically reference our obligations under the CCPA (as amended by CPRA). If your organization is a customer of Theary and requires an addendum, please reach out to info@theary.com.
Gramm-Leach-Bliley Act
The Gramm-Leach-Bliley Act (GLBA) requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data. Service providers who are permitted by the financial institutions to access their consumers' nonpublic personal information (NPI) are also required to comply with GLBA. Theary complies with GLBA's Privacy Rule and Safeguards Rule. In addition to implementing security safeguards, we only use customer work content to provide our services, and not for any other purpose.
Family Educational Rights and Privacy Act
The Family Educational Rights and Privacy Act (FERPA) is a federal law that requires academic institutions like colleges and universities to protect the privacy of student educational records. Theary enables our customers to comply with FERPA by ensuring personal data is kept secure and only used to provide our services as described in our Terms of Service and Privacy Statement. Theary contractually commits to not disclosing customer data except as directed by the contracting academic institution, as allowed by our terms, or as required by law.
Act on the Protection of Personal Information
The Act on the Protection of Personal Information (APPI) is the primary data protection law in Japan that regulates the protection of personal information. It applies to business operators handling personal information of individuals in Japan. The APPI has been amended since it was originally enacted in 2003, with the most recent amendments coming into effect April 1, 2022.
Similarly to the distinction between “data controllers” and “data processors” under the GDPR, the APPI makes a distinction between “business operators” - or entities with the authority to control and make decisions about retained personal information (i.e., Theary’s customers) and third-party service providers handling personal information on behalf of a business operator (i.e., Theary).
The APPI also imposes restrictions on cross-border transfers of personal information outside of Japan. Personal information may be transferred to overseas recipients if there are contractual agreements in place that ensure compliance with data protection standards in Japan.
Theary is committed to processing and safeguarding personal information as required by the APPI and its amendments.