Privacy Policy

Last Updated: Janvier 12, 2023

Birdie (“our”, “us” or “we”), respects your privacy and is committed to protecting it through our compliance with this privacy policy (“Privacy Policy”).

This Privacy Policy applies to information collected by Birdie through the Birdie Site, any Birdie computer software available from the Birdie Site ("Birdie Software") and any Birdie services purchased or otherwise made available from the Birdie Site ("Birdie Services") (collectively, the "Birdie Properties").

This Privacy Policy does not apply to the practices of any third party websites, applications or services that Birdie does not own or maintain (collectively, “Third Party Services”) or to any third parties that use the Birdie Application Programming Interface (API) to perform any function related to the Birdie Properties (“Integrated Platforms”). In particular, this Privacy Policy does not cover any information or other content you can view via the Birdie Properties on Integrated Platforms or information you provide to Third Party Services accessed via the Birdie Properties. As further detailed below, we cannot take responsibility for the content or privacy policies of any Third Party Services.This Privacy Policy also does not cover any information, recorded in any form, about more than one individual where the identity of the individuals is not known, cannot be inferred from the information, and is not linked or reasonably linkable to an individual, including via a device (“Aggregated Information”). Birdie retains the right to use Aggregated Information in any way that it reasonably determines is appropriate.

By using the Birdie Services or otherwise providing us with your Personal Information (as defined below), you are accepting the practices described in this Privacy Policy, as they may be amended by us from time to time, and agreeing to our collection and use of your information in accordance with this Privacy Policy. If you do not agree to the collection, use and disclosure of your information in this way, please do not use any of the Birdie Properties or otherwise provide Birdie with Personal Information.

Please refer to our Privacy Overview for additional details regarding how Birdie Properties may use your information, including Birdie’s use of certain applications and platforms operated by Third Party Services, and how you may export your data.

What information Birdie collects from you

Birdie collects only the information required to provide products and services to you. The amount of information provided by you and collected by Birdie depends on the circumstances. Birdie may collect two (2) types of information about you: Personal and Non-Personal.

  • “Personal Information.” Personal Information means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household, or is otherwise defined as personal information under applicable law. Birdie may collect Personal Information when you use the Birdie Properties including, without limitation, setting up account information, filling out surveys, corresponding with Birdie, or otherwise volunteering information about yourself.

  • “Non-Personal Information.” Non-Personal Information refers to information that does not meet the definition of Personal Information above. Birdie may collect Non-Personal Information through any of the methods discussed above as well as automatically through use of industry standard technologies described further below.

How Birdie collects your information

  • Registration. Prior to using one or more of the Birdie Properties, Birdie may require you to provide us with certain Personal Information and Non-Personal Information to create an account (“Account”) or to enable features or functionality of the Birdie Properties.

  • Users. Birdie may gather Personal Information about organizational representatives via various methods (phone, email, online forms, in-person meetings) but only if such Personal Information is submitted voluntarily. Birdie may use such Personal Information for sales, marketing, and support of the Birdie Properties. This Personal Information is never shared with third parties other than Third Party Service Providers utilized by a User in connection with Birdie Services.

  • User communications. When you send email or other communications to us, we may retain those communications in order to process your inquiries, respond to your requests and improve the Birdie Properties.

  • Payment Information. When creating an Account, for certain Birdie Properties, or when you make online purchases, you may be asked to provide information, which may include your payment instrument number (e.g., credit card), your name and billing address, and the security code associated with your payment instrument (e.g., the CSV) and other financial data (“Payment Information”). We use Payment Information to complete transactions, as well as for the detection and prevention of fraud. When you provide Payment Information while authenticated, we will store that data to help you complete future transactions without your having to provide the information again. We do not, however, retain the security code associated with your payment instrument (e.g., the CSV) in this manner. To remove or modify Payment Information, please contact us. After you close your account or remove Payment Information, however, we may retain your Payment Information for as long as reasonably necessary to complete your existing transaction and for the detection and prevention.

  • Information Collected Through Technology. Birdie automatically collects and receives certain information from your computer or mobile device, including the activities you perform on the Birdie Site, the Birdie Software and the Birdie Services, the type of hardware and software you are using (for example, your operating system or browser), and information obtained from cookies (see below). If you have an Account, we may link this Non-Personal Information to your Account to better understand your needs and the needs of Users in the aggregate, diagnose problems, analyze trends, provide services, improve the features and usability of the Birdie Properties, and better understand and market to our customers and Users.

  • We use technology to automatically gather information by the following methods:

    • Cookies. Birdie uses cookies on the Birdie Site and other aspects of the Birdie Properties. Cookies, including local shared objects, are small pieces of information that are stored by your browser on your computer's hard drive which work by assigning to your computer a unique number that has no meaning outside of the Birdie Properties. Most web browsers automatically accept cookies, but you can usually configure your browser to prevent this. Not accepting cookies may make certain features of the Birdie Properties unavailable to you.
    • IP Address. You may visit many areas of the Birdie Site anonymously without the need to become a registered User. Even in such cases, Birdie may collect IP addresses automatically. An IP address is a number that is automatically assigned to your computer whenever you begin services with an Internet services provider. Each time you access the Birdie Site and each time you request one of the pages of the Birdie Site, the server logs your IP address.
    • Web Beacons. Web beacons are small pieces of data that are embedded in web pages and emails. Birdie may use these technical methods in HTML emails that Birdie sends to Users to determine whether they have opened those emails and/or clicked on links in those emails. The information from use of these technical methods may be collected in a form that is Personal Information.
    • Tracking Content Usage. If you use the Birdie Services and you post audio visual materials including, without limitation, videos, links, logos, artwork, graphics, pictures, advertisements, sound and other related intellectual property contained in such materials (collectively, “Content”) to your website or to a third party website, Birdie tracks and captures information associated with User accounts and the use of Content by those that access your Content.
  • Information You Provide About a Third Party. You may have the opportunity to communicate with others from the Birdie Properties, such as by sending an invitation to a friend. If you choose to take advantage of this functionality, we may ask you to provide us with certain information about the person with whom you wish to communicate (e.g., name, email address, etc.). Birdie collects such information for the purposes of facilitating the requested communication, which may contain a specific promotional message from you (e.g., an invitation to watch a video). Unless we explicitly say otherwise, Birdie will not use this information for other marketing purposes without first obtaining consent from the person to whom the relevant information pertains. Please be aware that when you use any invitation functionality on the Birdie Properties, your email address, name or username, and message may be included in the communication sent to your addressee(s).

How Birdie uses your information

  • Personal Information. Birdie identifies the purpose for which your Personal Information is collected and will be used or disclosed. If that purpose is not listed below, we will identify any additional purposes for which we will collect your Personal Information, before or at the time of collection, and we will obtain your consent to collect, use or disclose your Personal Information for such additional purpose(s).

  • By using the Birdie Properties, you will be deemed to consent to our use of your Personal Information for the purposes of:

    • communicating with you generally;
    • processing your purchases;
    • processing and keeping track of transactions and reporting back to you;
    • protecting against fraud or error;
    • providing information or services requested by you;
    • administering and managing the Birdie Properties and our business operations;
    • personalising your experience with the Birdie Site, as well as evaluating statistics on Birdie Site activity;
    • performing statistical analyses of your behavior and characteristics, in order to measure interest in and use of the various sections of the Birdie Site;
    • communicating with you on other websites;
    • email gating;
    • delivery of content and information to Third Party Services Providers;
    • complying with legal and governmental requirements; and/or
    • fulfilling any other purpose that would be reasonably apparent to the average person at the time that we collect it.
  • Users utilize Birdie Properties to manage and deliver Content to Viewers. As part of this process, Birdie may collect Personal Information from you.

  • Otherwise, we will obtain your express consent (by verbal, written or electronic agreement) to collect, use or disclose your Personal Information. You can change your consent preferences at any time by contacting us (see the “How to Access, Change and Erase Your Personal Information” section below).

  • Birdie extends the rights granted to “data subjects” under the General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR”) to all of its Users. Consequently, you have the right to withdraw your consent to our processing of your Personal Information at any time (if our processing is based on consent) and the right to object to our processing of your Personal Information (if processing is based on legitimate interests).

  • Non-Personal Information. Birdie may use Non-Personal Information for the following purposes:

    • System Administration: Birdie may use Non-Personal Information for the purposes of system administration, assisting in diagnosing problems with Birdie servers, monitoring Birdie's system performance and traffic on the Birdie Properties and to gather broad demographic information about Birdie Users.
    • Personalisation: Birdie uses cookies and IP addresses to track features such as delivering Content specific to your interests and informing you of new, relevant services or certain third party offerings.
  • Personal Information. Birdie identifies the purpose for which your Personal Information is collected and will be used or disclosed. If that purpose is not listed below, we will identify any additional purposes for which we will collect your Personal Information, before or at the time of collection, and we will obtain your consent to collect, use or disclose your Personal Information for such additional purpose(s).

  • By using the Birdie Properties, you will be deemed to consent to our use of your Personal Information for the purposes of:

    • communicating with you generally;
    • processing your purchases;
    • processing and keeping track of transactions and reporting back to you;
    • protecting against fraud or error;
    • providing information or services requested by you;
    • administering and managing the Birdie Properties and our business operations;
    • personalising your experience with the Birdie Site, as well as evaluating statistics on Birdie Site activity;
    • performing statistical analyses of your behavior and characteristics, in order to measure interest in and use of the various sections of the Birdie Site;
    • communicating with you on other websites;
    • email gating;
    • delivery of content and information to Third Party Services Providers;
    • complying with legal and governmental requirements; and/or
    • fulfilling any other purpose that would be reasonably apparent to the average person at the time that we collect it.
  • Users utilize Birdie Properties to manage and deliver Content to Viewers. As part of this process, Birdie may collect Personal Information from you.

  • Otherwise, we will obtain your express consent (by verbal, written or electronic agreement) to collect, use or disclose your Personal Information. You can change your consent preferences at any time by contacting us (see the “How to Access, Change and Erase Your Personal Information” section below).

  • Birdie extends the rights granted to “data subjects” under the General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR”) to all of its Users. Consequently, you have the right to withdraw your consent to our processing of your Personal Information at any time (if our processing is based on consent) and the right to object to our processing of your Personal Information (if processing is based on legitimate interests).

  • Non-Personal Information. Birdie may use Non-Personal Information for the following purposes:

    • System Administration: Birdie may use Non-Personal Information for the purposes of system administration, assisting in diagnosing problems with Birdie servers, monitoring Birdie's system performance and traffic on the Birdie Properties and to gather broad demographic information about Birdie Users.
    • Personalisation: Birdie uses cookies and IP addresses to track features such as delivering Content specific to your interests and informing you of new, relevant services or certain third party offerings.

How to access, change and erase your personal information

Upon request, Birdie will allow Users to update or correct Personal Information previously submitted, but only to the extent such activities will not compromise privacy or security interests. Additionally, upon request, Birdie will delete Personal Information from the database where such information is stored; however, it may be impossible to entirely delete a User’s entry without some residual information being retained due to the manner in which data backups are maintained. Requests to delete Personal Information may be submitted to privacy@birdie.so

Users also have the right to receive their Personal Information from us in a structured, commonly used and machine-readable format, and the right to transmit their Personal Information to another controller without hindrance from us (data portability).

Email preferences

Birdie may use your Personal Information to send you emails periodically listing promotions or events relating to the Birdie Properties. You have the choice to opt-out of receiving such promotional emails by sending an email to privacy@birdie.so and/or following the instructions in such correspondence. OnceBirdie's has processed your opt-out request, Birdie will not send you promotional emails unless you opt back in to receiving such communications.

Disclosure of information to third parties

Except as described below, we do not sell, transfer or otherwise disclose, sell, trade, or otherwise transfer your Personal Information to outside parties. This statement does not include trusted third party service providers who assist us in administering and providing the Birdie Properties or provide services to us. Examples include storing and managed Content, analyzing data, providing marketing assistance, integrations of Third Party Services such as CRM and MAP services, processing credit card payments, and providing customer service. These third party service providers will have access to Personal Information needed to perform their functions, but may not use it for other purposes, and they are subject to appropriate agreements with Birdie and/or its Users to secure and protect the confidentiality of your Personal Information.

We may use service providers located outside of the United States, and, if applicable, your Personal Information may be processed and stored in other countries and therefore may be subject to disclosure under the laws of those countries. You explicitly consent and agree to such transfer, storing and/or processing of your Personal Information outside of the United States or other country in which you are located.

We may share Payment Information with third parties for purposes of fraud prevention or to process payment transactions.

We may also release your information when we believe release is appropriate to comply with the law, enforce our policies, or protect our or others’ rights, property or for safety. We may also provide non-Personal Information to other parties for marketing, advertising or other uses.

Information, including Personal Information, is considered to be a business asset. As a result, in the unlikely event that we go out of business, enter bankruptcy or if we are acquired as a result of a transaction such as a merger, acquisition or asset sale, your Personal Information may be disclosed or transferred to the third-party acquirer in connection with the transaction.

We may also share information related to your account with your employer or organization if you have an individual Birdie account and your account email domain is owned or managed by your employer or organization.

Lastly, we may provide Users with certain usage information directly related to the videos and/or other Content that they make available through the Birdie Properties. Such information may include who watched a particular Content (if the viewer is logged into Birdie), which Content of a particular User was watched, and how many times a particular Content was watched.

Under certain exceptional circumstances, Birdie may have a legal duty or right to collect, use or disclose your Personal Information without your knowledge or consent. In accordance with applicable laws, We will not disclose any consumer information (which may include Personal Information) without your written consent, except where consumer information is required to be disclosed: (i) for billing or market operation purposes; (ii) for law enforcement purposes; or (iii) for the purpose of complying with a legal requirement.

When you create an account using a corporate email domain belonging to your employer or other organization, the organization may be able to (1) access information in and about the account, including your Personal Information; (2) disclose, restrict or access Content posted in connection with the account; and (3) control how the account is accessed or deleted.

You consent to disclosure of your information for the above purposes.

Safeguarding your personal information

Birdie takes appropriate security measures to protect against unauthorized access, alteration, disclosure or destruction of Personal Information. These include, but are not limited to, internal reviews of: (a) Birdie's data collection; (b) storage and processing practices; (c) electronic security measures; and (d) physical security measures to guard against unauthorized access to systems where Birdie stores Personal Information.

Unfortunately, no data transmission over the internet can be guaranteed to be 100% secure. As a result, while we are committed to protecting your Personal Information, we cannot ensure or warrant the security of any information you provide to us.

All Birdie employees who access Personal Information are bound by confidentiality obligations and may be subject to discipline, including termination and criminal prosecution or unauthorized use or disclosure of Personal Information.

Some or all of the Personal Information we collect may be stored or processed on servers located outside your jurisdiction of residence, whose data protection laws may differ from the jurisdiction in which you live. As a result, this information may be subject to access requests from governments, courts, or law enforcement in those jurisdictions according to laws in those jurisdictions.

Retention of information

Birdie retains the Personal Information that we collect about you for as long as reasonably necessary for the purposes set out in this Privacy Policy. We also may retain your Personal Information for a longer period of time on the basis of our legitimate interests in providing or marketing our services to you or as necessary to comply with our legal obligations, to resolve disputes, and to enforce our agreements. Even if we delete some or all of your Personal Information, we may continue to retain and use information that has been aggregated or anonymised so that it can no longer be used for personal identification.

Children and students

Birdie takes the privacy of children and students extremely seriously. Personal information we collect through the Birdie Services may be subject to the Children’s Online Privacy Protection Act (“COPPA”) and/or the Family Educational Rights and Privacy Act (“FERPA”).

COPPA Compliance. COPPA requires that operators of websites and online services that collect the personal information of children under 13 years of age (i) inform parents and legal guardians about their practices for collecting, using and disclosing such personal information and (ii) obtain verifiable consent from parents and legal guardians for doing so. We only collect personal information through the Birdie Services from a child under 13 if that student’s school, school district or teacher has agreed to obtain parental consent for that child to use the Birdie Services and disclose personal information to us for purposes of providing the Birdie Services, or we have directly obtained such parental consent.

If you are a student under 13, please do not send any personal information about yourself to us if your school, school district or teacher has not obtained this prior consent from your parent or guardian, or we have not obtained such consent, and please do not send any personal information other than what we request from you in connection with the Birdie Services. If we learn we have collected personal information from a student under 13 without parental consent having been obtained, or if we learn a student under 13 has provided us personal information beyond what we request from him or her, we will delete that information as quickly as possible. If you believe that a student under 13 may have provided us with personal information in violation of this Privacy Policy, please contact us at privacy@birdie.so

FERPA Compliance. FERPA protects personally identifiable information contained in students’ education records from unauthorized disclosure. Consistent with FERPA, we will only use education records, as defined under FERPA, for the purpose of providing agreed services to a school, school district or teacher. We will never share or sell FERPA-protected information, or use it for any other purposes, except as otherwise directed or permitted by the school, school district or teacher. If a parent or eligible student requests access to education records that are hosted on our servers, we will help facilitate such access.

EU and Swiss Privacy Shield Frameworks

Birdie complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of Personal Information transferred from European Union member countries (as well as Iceland, Liechtenstein, and Norway), the United Kingdom ("UK") and Switzerland transferred to the United States in reliance on the Privacy Shield. Birdie has certified that it adheres to the Privacy Shield Principles with respect to such Personal Information. If there is any conflict between the policies in this Privacy Policy and data subject rights under the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification page, please visit www.privacyshield.gov

With respect to Personal Information received or transferred pursuant to the Privacy Shield Frameworks, Birdie is subject to the regulatory and enforcement powers of the U.S. Federal Trade Commission.

Types of EU, UK and Swiss Personal Information Collected. Our participation in the Privacy Shield applies to all Personal Information that is subject to this Privacy Policy and is received from the European Union and European Economic Area, the UK and Switzerland. We will comply with the Privacy Shield Principles with respect to all EU, UK and Swiss Personal Information. We may collect employment-related Personal Information regarding our employees located in the EU, the UK and Switzerland.

Purposes of EU, UK and Swiss Personal Information Collection and Use. We will only process EU, UK and Swiss Personal Information in ways that are compatible with the purpose for which we collected the EU, UK and Swiss Personal Information, or for purposes that the individual or entity providing the EU, UK and Swiss Personal Information later authorizes.

Pursuant to the Privacy Shield Frameworks, EU, UK and Swiss individuals have the right to obtain our confirmation of whether we maintain Personal Information relating to you in the United States. Upon request, we will provide you with access to the Personal Information that we hold about you. You may also correct, amend, or delete the Personal Information we hold about you. An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data transferred to the United States under Privacy Shield, should direct their query to privacy@birdie.so. If requested to remove data, we will respond within a reasonable timeframe.

We will provide an individual opt-out choice, or opt-in for sensitive data, before we share your data with third parties other than our agents, or before we use it for a purpose other than which it was originally collected or subsequently authorized. To request to limit the use and disclosure of your Personal Information, please submit a written request to privacy@birdie.so

In certain situations, we may be required to disclose Personal Information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Birdie’s accountability for Personal Information that it receives in the United States under the Privacy Shield and subsequently transfers to a third party is described in the Privacy Shield Principles. In particular, Birdie remains responsible and liable under the Privacy Shield Principles if third-party agents that it engages to process the Personal Information on its behalf do so in a manner inconsistent with the Principles, unless Birdie proves that it is not responsible for the event giving rise to the damage.

In compliance with the Privacy Shield Principles, Birdie commits to resolve complaints about your privacy and our collection or use of your Personal Information transferred to the United States pursuant to Privacy Shield. European Union and Swiss individuals with Privacy Shield inquiries or complaints should first contact Birdie by email at privacy@birdie.so or via post at:

Birdie, Inc. 40 b rue de Sévigné, 75003 Paris, France.

Birdie has further committed to refer unresolved privacy complaints under the Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU PRIVACY SHIELD, operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbb.org/EU-privacy-shield/for-eu-consumers for more information and to file a complaint. This service is provided free of charge to you.

Birdie commits to cooperate with the EU data protection authorities (DPAs), the UK Information Commissioner and the Swiss Federal Data Protection and Information Commissioner (FDPIC) and comply with the advice given by such authorities with regard to human resources data transferred from the EU, the UK and/or Switzerland, as applicable, in the context of the employment relationship with Birdie.

If your Privacy Shield complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See Privacy Shield Annex 1 here

California residents

California law grants additional privacy rights to California residents. In particular, the California Consumer Privacy Act (CCPA) requires businesses to disclose, for the past 12 months, (i) the categories of personal information collected, (ii) the sources of the collected personal information, (iii) the purposes for which the collected personal information is used, (iv) the categories of personal information disclosed for a business purpose, and (v) the categories of any personal information sold. Birdie provides these disclosures in the following table. Birdie has not sold personal information in the past 12 months.

Category: Identifiers
Sources of Collection: Website visits and registration for Birdie Services
Purposes of Collection: To allow use of Birdie Services and to enable Birdie to communicate with you
Disclosures for a Business Purpose: To Birdie service providers for the purpose of providing Birdie Services to you
Category: Personal information categories listed in the California Customer Records statute
Sources of Collection: Registration for Birdie Services
Purposes of Collection: Credit card information to permit payment for premium Birdie Services
Disclosures for a Business Purpose: To Birdie service providers to facilitate payment transactionsCategory: Internet or other similar network activity
Sources of Collection: Your browsing and search history on the Birdie Site
Purposes of Collection: To improve the visitor experience on the Birdie Site, diagnose server problems and administer the Birdie Site
Disclosures for a Business Purpose: To marketing specialist companies for the purpose of enhancing the Birdie Site and improving the effectiveness of our advertising

California residents also have the rights described below. We will not discriminate against any California resident who exercises these rights.

Right to access/know. You may request from us a list of (i) the personal information that we have collected about you, and (ii) the categories of third parties to whom we have disclosed your personal information. You have the right to up to two (2) access requests each twelve (12) months.

Right to delete your personal information. You may request, at any time, that we delete your personal information.

You may contact us to exercise these rights at privacy@birdie.so. To ensure the privacy and protection of individuals, we are required to verify your identity or otherwise authenticate your request(s). Please note that, under the CCPA, we are not required to grant a request to access/know or a request to delete with respect to personal information obtained from you in your role as an employee, owner, director, officer or contractor of a company and within the context of Birdie providing the Birdie Services to such company.

Third Party Websites and Services

The Birdie Properties may contain links to third party websites or services, including Third Party Services, (collectively, “Third Party Sources”) who may collect Personal Information and Non-Personal Information directly from you. Links to Third Party Sources are intended for convenience only. Third Party Sources are wholly independent from Birdie. Third Party Source may have separate privacy policies and data collection practices, independent of Birdie. Birdie: (a) has no responsibility or liability for these independent policies or actions; (b) is not responsible for the privacy practices or the content of such websites; and (c) does not make any warranties or representations about the contents, products or services offered on such websites or the security of any information you provide to them.

Changes to this Privacy Policy

The terms in this Privacy Policy may be changed from time to time, so you should review it periodically for changes. We reserve the right, at any time, to modify or replace this Privacy Policy. The date of the most recent version of the Privacy Policy is noted below under “Effective Date of this Privacy Policy.” We may also notify you via email or other direct electronic communication method of any changes that, in our sole discretion, materially impact your use of the Birdie Properties or the treatment of your Personal Information. Your use of the Birdie Properties following the posting of any changes to the Privacy Policy constitutes acceptance of those changes.

How to contact us

If you have any questions or concerns about this Privacy Policy or our privacy practices, you may contact us directly as follows:
Email us at: privacy@birdie.so,  or write at: Birdie, 40 b rue de Sévigné, 75003 Paris, France.
If you are a resident of the European Union, and you believe that our processing of your Personal Information is inconsistent with your data protection rights under the GDPR and we have not adequately addressed your concerns, you have the right to lodge a complaint with the data protection supervisory authority of your country. Current list of National Data Protection Authorities and members of the European Data Protection Board found here.

Data Processing Addendum

1. Scope of this Data Processing Addendum (“DPA”)

  • This DPA forms part of the Terms between you and Birdie with regard to the processing of personal data that is subject to the General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"). Terms used herein that are not otherwise defined have the meanings given in the Terms.
  • The parties agree that Birdie acts as a data processor for you in providing the Service.
  • "Personal data" has the meaning given in the GDPR.
  • “Standard Contractual Clauses” means the clauses annexed to EU Commission Decision 2010/87/EU of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (OJ L 39, 12.2.2010, p. 5-18).
  • “International Data Transfer” means any transfer of Controller Personal Data from the EEA, Switzerland or the United Kingdom to an international organization or to a country outside of the EEA, Switzerland and the United Kingdom.

2. Processing of personal data

  • The parties agree that Processor will process the personal data only for the purposes of providing the Service. The types of personal data and the specific uses of the personal data are specified in Exhibit A attached hereto.
  • Controller hereby authorizes Processor to perform International Data Transfers to any country deemed adequate by the EU Commission; or pursuant to the Standard Contractual Clauses. By signing this DPA, Controller and Processor conclude the Standard Contractual Clauses, which are hereby incorporated into this DPA and completed as follows: the “data exporter” is Controller; the “data importer” is Processor; the governing law in Clause 9 and Clause 11.3 of the Standard Contractual Clauses is the law of the country in which Controller is established; Appendix 1 and Appendix 2 to the Standard Contractual Clauses, are Exhibits A and B to this DPA respectively; and the optional indemnification clause is struck. If Processor’s compliance with the Standard Contractual Clauses is affected by circumstances outside of Processor’s control, including if the Standard Contractual Clauses are invalidated, amended, or replaced, then Controller and Processor will work together in good faith to reasonably resolve such non-compliance.

3. Processor's general obligations

  • Processor must ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  • Processor shall implement appropriate technical and organizational measures to prevent the personal data from being:(i) accidentally or unlawfully destroyed, lost or altered,(ii) disclosed or made available without authorization, or(iii) otherwise processed in violation of applicable laws.
  • The appropriate technical and organizational security measures must be determined with due regard for:(i) the current state of the art,(ii) the cost of their implementation, and(iii) the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
  • Processor shall upon request provide Controller with sufficient information to enable Controller to ensure that Processor complies with its obligations under this DPA, including ensuring that the appropriate technical and organizational security measures have been implemented.
  • Controller is entitled at Controller’s own cost to appoint an independent expert who shall have access to Processor's premises and receive the necessary information in order to be able to audit whether Processor complies with its obligations under this DPA, including ensuring that the appropriate technical and organizational security measures have been implemented. Controller shall provide Processor with 14 days prior written notice, and Controller is obligated to ensure that the expert signs a customary non-disclosure agreement, treats all information obtained or received from Processor confidentially, and may only share the information with Controller. Any findings or reports created on the basis of such an inspection must be shared with Processor and shall be regarded as confidential information.
  • Processor must without undue delay after becoming aware of the facts in writing notify Controller about:(i) any request for disclosure of personal data processed under this DPA by authorities, unless expressly prohibited under European Union or member state law,(ii) any finding of (a) breach of security that results in accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed by Processor in connection with the Service, or (b) other failure to comply with Processor's obligations under this DPA, or(iii) any request for access to the personal data received directly from the data subjects or from third parties relating to the processing of personal data on Controller’s behalf.
  • Processor must promptly assist Controller with the handling of any requests from data subjects under Chapter III of the GDPR, including requests for access, rectification, blocking or deletion, which relates to the processing of personal data in connection with the Service.
  • Processor must assist Controller with meeting the other obligations that may be incumbent on Controller according to European Union or member state law related to data processing where the assistance of Processor is implied, and where the assistance of Processor is necessary for Controller to comply with Controller’s data protection obligations.

4. Subprocessors

  • Controller hereby grant Processor a general authorization to engage subprocessors. Processor undertakes to inform Controller of any intended changes concerning the addition or replacement of a subprocessor by providing prior written notice via Controller’s account. If Controller can document objective and valid reasons not to accept suggested new subprocessors, Controller may object to the use of these suggested new subprocessors. If Processor chooses not to suggest alternative subprocessors, or if Controller has valid and objective reasons to object to all suggested alternatives, Controller is entitled to terminate the Terms with Processor within 30 days after receiving notice hereof.
  • Prior to the engagement of a subprocessor, Processor shall conclude a written agreement with the subprocessor, in which at least the same data protection obligations as set out in this DPA shall be imposed on the subprocessor, including an obligation to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR.

5. Term and consequences of the termination of this DPA

  • The term of this DPA shall correspond to the term of the Terms.
  • On Controller’s request, Processor shall immediately transfer or delete (including anonymize) personal data which Processor is processing for Controller, unless European Union or member state law requires storage of the personal data.

6. Priority

  • If any of the provisions of this DPA conflict with the provisions of the Terms, the provisions of this DPA shall prevail.

Exhibit A

Subject Matter of Processing
The subject matter of the processing is the Service pursuant to the Terms.

Duration of Processing
The processing will continue until the expiration or termination of the Terms.

Categories of Data Subjects
Employees and other authorized users of Controller.

Nature and Purpose of Processing

  • Nature: Processing as part of the Service provided to Controller by Processor under the Terms.
  • Purpose: The purpose of the processing is to provide the Service pursuant to the Terms.

Types of Personal Data
Includes the following:

  • Name, email address, payment information and related personal data required to register for the Service;
  • Transaction logs for transactions conducted by Controller using the Service;
  • Information about the Controller hardware and software used to access the Service;
  • Information collected by tracking Controller’s posting and usage of content on the Service;
  • Employee authentication information, including user IDs such as user email addresses and organization group and department information to allow Controller to create access control policies;
  • Other data provided by Controller to facilitate Processor’s provision of the Service to Controller.

Exhibit B

Security Measures

Processor will implement the following types of security measures:

  • Physical access control
    Technical and organizational measures to prevent unauthorized persons from gaining access to the data processing systems available in premises and facilities (including databases, application servers and related hardware):

    • Establishing security areas, restriction of access paths;
    • Establishing access authorizations for employees and third parties;
    • Access control system (ID reader, magnetic card, chip card);
    • Key management, card-keys procedures;
    • Door locking (electric door openers etc.);
    • Security staff, janitors;
    • Surveillance facilities, video/CCTV monitor, alarm system; and
    • Securing decentralized data processing equipment and personal computers.
  • Virtual access control
    Technical and organizational measures to prevent data processing systems from being used by unauthorized persons include:

    • User identification and authentication procedures;
    • ID/password security procedures (special characters, minimum length, change of password);
    • Automatic blocking (e.g. password or timeout);
    • Monitoring of break-in-attempts and automatic turn-off of the user ID upon several erroneous passwords attempts;
    • Creation of one master record per user, user-master data procedures per data processing environment; and
    • Encryption of archived data media.
  • Data access control
    Technical and organizational measures to ensure that persons entitled to use a data processing system gain access only to Personal Data in accordance with their access rights, include:

    • Internal policies and procedures;
    • Control authorization schemes;
    • Differentiated access rights (profiles, roles, transactions and objects);
    • Monitoring and logging of accesses;
    • Disciplinary action against employees who access Customer Personal Data without authorization;
    • Reports of access;
    • Access procedure;
    • Change procedure;
    • Deletion procedure; and
    • Encryption.
  • Disclosure control
    Technical and organizational measures to ensure that Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media (manual or electronic), and that it can be verified to which companies or other legal entities Personal Data are disclosed, include:

    • Encryption/tunneling;
    • Logging; and
    • Transport security.
  • Entry control
    Technical and organizational measures to monitor whether Personal Data have been entered, changed or removed (deleted), and by whom, from data processing systems, include:

    • Logging and reporting systems; and
    • Audit trails and documentation.
  • Control of instructions
    Technical and organizational measures to ensure that Personal Data are Processed solely in accordance with the instructions of the Controller include:

    • Unambiguous wording of the contract;
    • Formal commissioning (request form); and
    • Criteria for selecting the Processor.
  • Availability control
    Technical and organizational measures to ensure that Personal Data are protected against accidental destruction or loss (physical/logical) include:

    • Backup procedures;
    • Uninterruptible power supply (UPS);
    • Remote storage;
    • Anti-virus/firewall systems; and
  • Separation control
    Technical and organizational measures to ensure that Personal Data collected for different purposes can be Processed separately include:

    • Separation of databases;
    • Segregation of functions (production/testing); and
    • Procedures for storage, amendment, deletion, transmission of data for different purposes.

Privacy for Humans

At Birdie, our users’ privacy is at the core of our decision making. We provide a service that changes the way support teams and their customers interact. It allows them to be more expressive and informative in their daily work communication. Sensitive information is passed through our systems, and we don’t take that lightly.We have created this page to show you how our systems use your information. If you wish to view our Privacy Policy, click here

Where does my data go within Birdie?

Text-based Data

Your text-based data is comprised of things like your name, notifications, password, linked accounts like Google and Slack, video names, comments, transcripts, and so on. The majority of this data is stored on an encrypted database at both rest and in-transit within AWS. This server is behind a VPC that only privileged servers have access to (such as our backend application servers). Some of this data is encrypted and sent to our caching layer where it is also encrypted at-rest. This caching layer is also behind a VPC and is additionally not accessible between data centers within AWS.

Image and Video Data

This includes your avatars, videos and thumbnails. These files are stored on our encrypted S3 buckets, which can only be accessed by certain robots and engineers within our organization who have special access.

In order to speed up delivery of your videos to your computer, we utilize our. Our CDN makes use of signed URLs. The CDN URL is not your video page URL. Your video page URL stays the same no matter what, but your CDN URL is the URL that actually delivers the video content.

When we sign these CDN URLs, we have complete control over deciding to not issue a URL to someone who requests it. Basically, even if you understand where a video is located on our CDN, you will not be able to access that URL unless you have the URL signed by us. This is how our password-protected videos work. In this case, we only give you a valid signed URL to view/download if you’ve provided the proper password. An additional benefit to signed URLs is that they expire, so old links will not be usable after some amount of time and you will then need to be issued a new one to access the same content.

Where does my data go outside of Birdie?

We only send data to trusted third-party systems that are subject to strict privacy and security controls. We think it’s important you understand not only what these systems are but also why we send your data to these systems. If you don’t agree with or understand our reasoning, please email us at privacy@birdie.so. If you do not agree with your data going to a specific system, deleting your Birdie account will permanently delete all of your data from all our systems. If you participate in a Birdie Business or Birdie Enterprise account, only the Birdie account administrator at your organization can delete your data.

For folks coming to figure out GDPR compliance, the following third-party services act as data processors for us. When we work with these service providers in our capacity as a data processor for our customers' personal data, the General Data Protection Regulation (GDPR) calls these third-party service providers a sub-processor. A subprocessor is a third party data processor engaged by Birdie who may have access to or process personal data: (i) on behalf of Birdie customers; (ii) in accordance with customer instructions as communicated by Birdie; and (iii) in accordance with the terms of a written contract between Birdie and the subprocessor.

💭 Crisp

  • Location: France.
  • Nature of Processing: Customer support service.
  • What: Crisp is a messaging and marketing platform that allows us to do customer success better. This is where you’re able to chat with us from that little bubble in the bottom-right of our web pages.
  • Why: Crisp has drastically increased our ability to address bugs and handle requests from our users (that’s you!) over when we used to primarily use email. As a part of being able to maintain your relationship with us on this platform, we have to know who you are. We only know this once you’ve created an account, but we use this information for various debugging purposes and to send you product updates and announcements.

📊 Google Analytics

  • Location: United States.
  • Nature of Processing: Data analytics service
  • What: Google Analytics is an analytics platform that more uniquely gives us certain nice-to-have "vanity" analytics and serves as a good place for understanding where on the web our users are coming from.
  • Why: It’s good to know where our users are finding us so we can promote our product more with those partners and channels or figure out whether there are tangential products that should be introduced to our platform.

🐦 Sentry

  • Location: United States.
  • Nature of Processing: Error logging service.
  • What: Sentry is used as our error logging platform. When you get an error, we get it too so we can better fix these bugs as soon as possible.
  • Why: No one likes bugs! Data sent to Sentry includes IP address and your Birdie ID and no other personal information. We grab your IP to get a general location the error is happening in and potentially pin-down bugs that have to do with timezones. We send your user ID so we can more quickly search and diagnose issues surfaced by our users in our customer support panel (Intercom). Your user ID does not reveal any other personal information to the engineer investigating the issue.

Who has access to what within Birdie?

Our non-technical team members have access to Crisp, which allows every person at Birdie to be able to do customer support. Over time, this will become more restricted as we scale up the team to only be customer support individuals.

Our technical team can be granted temporary access to our servers, video and thumbnail storage layers. This is only for debugging or development purposes. Each engineer has a unique key that identifies them within our systems. All actions are logged for 6 years. If their key is compromised, we have an instantaneous way of expiring that key, checking if their key was used by an outsider, and processes to remedy such situations and alert the affected user base. **So far, this has never happened in Birdie's history, and we’re very proud of that.

How can I export my data?

Videos: You can export all of your video data by downloading each individual video.

Text-based Data: Your user information, video titles and video metadata and tags can be exported. Just send us an email at privacy@birdie.so

If you ever want to delete your data, deleting your account will permanently delete all of your data off our systems.

Useful Vocabulary

🔒 Encrypted
Encryption is a process where data is scrambled with a specific secret that only a select few have. If this data is stolen, it cannot be understood unless the stealer has the proper secret. All of your personally-identifiable data (videos, images and text) are encrypted at-rest and in-transit across all systems.

🏃 In-transit
Your data is being sent from one location to another (usually one server/computer to another)

🛌🏾 At-rest
Your data is physically being stored on a device (usually a server)

🕳️ S3 Bucket
This is where we store larger (usually media) files such as images and videos

⚡ Cache Layer
A group of servers that uses faster storage for the purpose of being able to retrieve it faster

🤝 Database
This is a server that stores data that relates to one another. In other words, this is where we can query to answer questions like: "what is a user?", "does a user own one or many videos?", "could you get me a list of all of this user's comments?"

🔥 VPC
A firewall that blocks access to a server or group of servers only to users/robots that have the proper permissions

🌐 CDN
A CDN (Content Delivery Network) is a network of computers around the world whose purpose is to store data as close as possible to the downloader to speed up delivery of media.

🤖 AWS
Short for Amazon Web Services. This is the cloud provider we use at Birdie that allows us to rent storage and compute capacity from their data centers.

If you have any questions about privacy at Birdie, we are here to help. Email us at privacy@birdie.so

Terms of Service

Click here to open our Terms of Service

© Birdie. All rights reserved.