Last Updated: Mar 11, 2022
This Privacy Policy (“Policy”) applies to all products, services, and content offered by Wallwisher, Inc. DBA Padlet (“Padlet,” “we,” “us,” “our,” and our subsidiaries, affiliates, or holding company). For EU residents, when handling your information, Padlet may be acting as both a Controller and a Processor as those terms are defined under the European Union’s General Data Protection Regulation (“GDPR”). For California residents, when handling your information, Padlet shall act as a Service Provider under the California Consumer Privacy Act.
Overview
Padlet takes user privacy seriously. This Policy describes how we handle information collected in relation to access and use of padlet.com (the “Site”), our mobile and desktop applications (the “App”), browser extensions, blog, and related products and services (collectively, the “Service”). When you access or use the Service, you are deemed to consent to the collection, use, retention, transfer, structuring, manipulation, storage, transmission and/or disclosure (collectively, “processing”) of your information as described in this Policy and in accordance with applicable laws.
This Policy does not govern what our users do on their own padlets (i.e. custom pages that people make using the Service). When you visit a padlet page created by another Padlet user, that page may collect more information than we do and may provide information to third parties that we have no relationship with. We request you use discretion when sharing personal information on padlet pages created by other users.
This Policy also does not apply to websites or services you might access through links or other features (e.g., YouTube videos, Twitter buttons) on the Service. These other services have their own privacy policies, and we encourage you to review them before providing them with personal information.
Information you give us
We may ask for and collect the following personal information about you when you use the Service. This information is necessary for the adequate performance of the contract between you and us, for our legitimate interest in being able to provide and improve the Service, and to allow us to comply with our legal obligations. Without it, we may not be able to provide the Service as intended.
Account and Profile Information
When you create an account on a Padlet Service (an “Account”), we require you to provide us information such as your username, password, and email address. This information is used for confirming your identity and providing access to the Service.
You can also provide us your photo, your name, and a short bio, so other users can better identify you when you collaborate with them. It also allows us to personalize your experience. As a user with a Padlet account on padlet.com. you will have a publicly accessible profile where your photo, name, username, and bio will be visible. We do not expose your email address to the public. If you are using our Schools and Business products, your profile is not public.
Contact Information
When you contact us via our chat and email channels, you may provide us, in addition to the content of your message, your name and email address. If you call our support hotline, you provide us your phone number and any information you choose to provide us in relation to your inquiry. When you contact us for support or feedback, your information is used solely to respond to your request. We do not use your information for marketing.
Information About Your Accounts on Third-Party Services
Padlet provides the ability to log in to the Service using your Google, Facebook, or Microsoft account. If you authenticate yourself using any of these services, you grant us access to your email address, and, if available, your name, photo, and username associated with them. We do not receive your password.
Information Posted on Padlets (User content)
Users can create padlets where they and other users can contribute, i.e., post content. This content (“user content”) may include text, images, videos, audio, documents, files, links from the web, drawings, and maps.
The administrators of a padlet (the creator and other users appointed as such by the creator) can choose its privacy — private, password protected, members only, secret, public, org-wide. The privacy of your user content is dependent on the privacy of the padlet.
Private: Only registered Padlet users invited to the padlet can view content.
Password protected: People who have the password to the padlet can also view content.
Secret: People who have the link to the padlet can view content.
Members only (only available in Personal plans): People who are logged in to Padlet can view content.
Public (only available in Personal plans): Your content is public on the internet.
Org wide (Only available in Schools and Business plans): People in the same school or company can view content.
If you are contributing to a padlet, we advise you to exercise caution when sharing personal information regardless of the privacy level. The administrators of a padlet can change its privacy at any time; a padlet you thought was private today may become totally public tomorrow.
Public padlets give us, Padlet, the right to view, share, and promote the content on them.
Precise Location Information
We let users easily add maps to padlets. When adding a map, users can choose to add a map of their current location. Should a user choose to do so, we may request a one-time access to the user’s precise location (correct to 10 meters). The location is used only to generate the map that one time. We do not store or track your device location on an ongoing basis.
Payment Information
When you use a service that requires payment, we collect your name, email, and credit card information for the purpose of billing and charging you. Your payment information is stored in a PCI compliant way.
Information We Track Automatically
When you use the Service, we may automatically collect information, including personal information, about you and how you use the Service. This information is necessary for the adequate performance of the contract between you and us, to enable us to comply with legal obligations and given our legitimate interest in being able to provide and improve the Service.
If you use Padlet on different devices, we may associate and combine the information we collect from those different devices to help us provide a consistent service across your different devices. If we do combine any automatically-collected information with personal information, we will treat the combined information as personal information, and it will be protected as per this Policy.
Information Collected Using Cookies
Cookies are data that a website can store on a user’s web browser for a duration of time. Every website stores its own set of cookies and, by design, one website cannot read the cookies of another website.
Padlet’s cookies are used to:
- authenticate users
- keep users logged in while they use the Service
- track user behavior on the Service (e.g. which page the user visited after the home page)
- remember user preferences (e.g. timezone)
When you share links to external services on Padlet, e.g. YouTube, those services may store cookies on your browser too. We have no control over the cookies they store and what they do with them.
We collect device-specific information such as:
- device brand, version, and type (e.g. Samsung Galaxy S9 Cellphone)
- operating system and version (e.g. Android 8.0)
- browser type and version (e.g. Chrome 63.0)
- screen size and resolution (e.g. 375px wide retina screen)
This helps us measure how the Service is performing, improve Padlet for you on your particular device, and send you push notifications if you’ve opted in to receive them.
We collect information about how people use the Service. This information includes general usage information, and may include information such as the number and frequency of our visitors, which pages or features of the Service they have visited, which links on the Service they have clicked on, and the length of those visits.
We may also use third party applications and services, such as Google Analytics (GA), to collect, analyze, and report this information. We may also use some of this information in aggregate form, that is, as a statistical measure related to all of our users that would not identify you personally.
We use information about your use of the Service to improve and enhance your experience on the Service. We, under no circumstances, sell or share this data with others.
An IP address is an address assigned to any device connected to the Internet. Depending on where you are, your IP address can be unique to your computer, or shared among many devices. An IP address can be used to locate the device it is assigned to, and in turn the user using it.
When you use the Service, we collect your IP address for:
- analytics (e.g. how many people from France used Padlet today)
- detecting and preventing child sexual abuse material (CSAM)
- detecting your country or state for tax purposes if you purchase a membership. We do not store the IP address in this case
We do not store your IP address anywhere on our service for longer than 30 days after your visit. We use Google Analytics’ IP anonymization feature to prevent them from associating your activity with your identity. (So, GA will only see that someone in San Francisco visited page X, not someone who lives on the corner of 6th St and Mission St.)
How Long We Retain Information
Padlet will keep information for as long as necessary to provide the Service under our Terms and Conditions and other relevant agreements between you and Padlet. We will also retain information so as to fulfil any legal requirement to which we are subject to, e.g. trade, tax, and employment law. We will discard personal information when:
- the data subject withdraws consent to processing,
- our contractual obligations have been fully performed and cannot be performed to any further extent, or
- the personal information is obsolete.
We will also not keep any information the processing of which has been objected to, or for which a request for erasure has been made, beyond the legally required timeframe to complete such a request (usually 30 days).
First and foremost, you should know that Padlet does not sell or rent your personal information to any third-party for any purpose.
We share information we collect from you under the limited circumstances set forth below:
Information Shared With the Public Through the Service
All registered users on padlet.com have a public profile (e.g. https://padlet.com/doodlebug). The profile has the user’s profile photo, name, username, bio, and their public padlets.
These profiles are accessible to and searchable by all Padlet users. These profiles may also be indexed by search engines like Google and Bing.
Any content you post on a public padlet is also indexable by search engines and, as such, is open to the public.
If you have bought a school or business account, the above does not apply as those accounts are not public.
Information Shared With Other Padlet Users Through the Service
When you collaborate with other people, they can see your profile photo, name, and username.
Information Shared With Service Providers in Order to Operate and Improve the Services
We work with many vendors, service providers, and other partners to help us provide the Service by performing tasks on our behalf. These service providers may be located inside or outside of the European Economic Area (“EEA”). We may need to share or provide information (including personal information) to them to help them perform these business functions. E.g.:
- We use Front to manage customer support requests. We share your name, your email, and your messages with them.
- We use Sentry to notify us when a user encounters an error so we can fix it promptly. We share your device information with them.
- We use Chargebee to manage billing. They store your name, email, and credit card information.
- We use the providers listed here to support our operations. These providers have limited access to your personal information to perform these tasks on our behalf, and are contractually bound to protect and use it only for the purpose for which it was disclosed and consistent with this Policy. Padlet has also entered into Data Processing Agreements with parties who process personal data on our behalf or in connection with the use of the Padlet Service.
Information Shared with Third Parties
We may share aggregated information (information about our users that we combine together so that it no longer identifies or references an individual user) and other de-identified or non-personally identifiable information, with users, partners, press, or other third-parties in order to, for example, demonstrate how Padlet is used, spot industry trends, or to provide marketing materials for Padlet. Any aggregated information and non-personalized information shared this way will not contain any personal information.
Information Disclosed to Fulfil Legal Obligations
We may disclose personal information if necessary to comply with the law, such as complying with a subpoena or other legal process. We may need to disclose personal information where, in good faith, we think it is necessary to protect the rights, property, or safety of Padlet, our employees, our community, or others, or to prevent violations of our Terms of Service or other agreements. This includes, without limitation, exchanging information with other companies and organizations for fraud protection or responding to law enforcement and government requests.
Where appropriate, we may notify users about the legal requests, unless (i) providing notice is prohibited by the legal process itself, by court order we receive, or by applicable law; (ii) we believe that providing notice would be futile, ineffective, create a risk of injury or bodily harm to an individual or group, or create or increase a risk of fraud upon Padlet, or its users. In instances where we comply with legal requests without notice for these reasons, we will attempt to notify that user about the request after the fact where appropriate and where we determine in good faith that we are no longer prevented from doing so.
Information Disclosed Pursuant to Business Transfers
Over time, Padlet may grow and reorganize. We may share your personal information with affiliates such as a parent company, subsidiaries, joint venture partners or other companies that we control or that are under common control with us, in which case we will require those companies to agree to use your personal information in a way that is consistent with this Policy.
In the event that all or a portion of Padlet or its assets are acquired by or merged with a third-party, personal information that we have collected from users would be one of the assets transferred to or acquired by that third-party. This Policy will continue to apply to your information, and any acquirer would only be able to handle your personal information as per this Policy (unless you give consent to a new policy). We will provide you with notice of an acquisition within 30 days following the completion of such a transaction, by posting on our homepage, or by emailing you on your email address on file. If you do not consent to the use of your personal information by such a successor company, you may request its deletion from the company.
In the unlikely event that Padlet goes out of business, or files for bankruptcy, we will protect your personal information, and will not sell it to any third-party.
Information Shared to Enforce Content Policy
To make sure that all content on Padlet conforms to our content policy, we run all user content, no matter the privacy, through a series of automated checks. If any content is flagged to be in violation of our content policy, Padlet authorized personnel may look at it to determine the appropriate action to be taken against that content. This helps us keep the Service safe and appropriate for all users.
You may access Third Party Services through the Service, for example by watching a YouTube video on a padlet. You may also choose to share information that you provide to us with Third Party Services (e.g., by posting your padlet to Twitter or Facebook). These services have their own privacy policies which we don’t govern. We encourage you to review them before providing them with personal information.
Information Shared With Your Consent or at Your Request
Other than the cases above, we will share your information only if we have your consent.
How We Secure Information
The security of your personal information is important to us. We maintain administrative, technical and physical safeguards to protect against loss, theft, unauthorized use, disclosure, or retrieval of personal information. In particular:
- We perform application security testing; penetration testing; and monitor compliance with security policies
- We periodically review our information collection, storage and processing practices, including physical security measures, to guard against unauthorized access to systems
- We continually develop and implement features to keep your personal information safe
- When you enter any information anywhere on the Service, we encrypt the transmission of that information using transport layer security technology (TLS) by default
- We ensure passwords are stored and transferred securely using encryption and salted hashing
- The Service is hosted on servers at a third-party facility, with whom we have a contract providing for enhanced security measures. For example, personal information is stored on a server equipped with industry standard firewalls. In addition, the hosting facility provides a 24x7 security system, video surveillance, intrusion detection systems and locked cage areas
- We operate a ‘bug bounty’ security program to encourage an active community of third-party security researchers to report any security bugs to us
- We restrict access to personal information to authorized Padlet employees, agents or independent contractors who need to know that information in order to process it for us, and who are subject to strict confidentiality obligations and may be disciplined or terminated if they fail to meet these obligations
- We require subprocessors to comply with security requirements via separate data processing agreements
If we learn of a security breach, we will attempt to notify you electronically (subject to any applicable laws) so that you can take appropriate protective steps; for example, we may post a notice on our Site or elsewhere on the Service, and email to your email address on file. Depending on where you live, you may have a legal right to receive notice of a security breach in writing.
Deleting Your Account
You may delete your Account at any time. You can do so from your Account Settings page on the Site or the App or by sending us a request using our support page. If you email us, we may require sufficient identifying information to be able to determine that you own the account.
When you delete your account, we delete:
- your profile information and any other content you provide in your profile (such as your name, username, password, email address, and profile photos)
- all the padlets you have created and all the content posted on them, whether or not that content was created by you
We do not delete the user content you posted on padlets created by other users. It will continue to be on the platform, albeit anonymized (unless you shared personal information in the user content itself). Padlets are shared documents and the creator of the padlet is ultimately the owner of the content on it. It jeopardizes the contract between you and the padlet creator if you are allowed to delete content. If you shared a Google Doc with someone and they edited it, you wouldn’t want the edits to disappear if they deleted their account the following day.
We also do not delete non-identifiable aggregate information about your usage of the service.
We aim to maintain our services in a manner that protects information from accidental or malicious destruction. Because of this, even after you update or delete personal information you have provided us from our Service, your personal information may be retained in our backup files, archives, and server logs for up to 30 days, unless legal obligations require us to retain them for longer periods of time.
Please be aware that deleting your Account may not fully remove all content you have published on our Service from search engine indexes (e.g. Google) and network caches. We cannot control the behavior of these entities.
Your Rights
You have the choice to request correction and/or deletion of personal information we process about you as well as to request that we cease communicating with you where we do so on the basis of your consent or previous customer relationship with you. If you are a registered user, you can access and update most information associated with your Account by logging in to the Service and checking your Account Settings page.
Customers based in the European Union or the European Economic Area shall have the following data subject rights in line with the European Union General Data Protection Regulation:
- Right to withdraw consent for processing of personal information at any time
- Right to be forgotten or to require deletion or blocking personal data which is incorrect or which has been processed illegally
- Right to restrict or object to certain types of processing of personal information
- Right to demand the rectification of erroneous or incomplete personal information
- Right to obtain a copy of personal information in a structured machine-readable format and, on request, to transmit personal data to other data controllers
Your California Privacy Rights
Under the California Consumer Privacy Act, you are entitled to a copy of the data you have provided to us by sending a mail to [email protected].
Under California Civil Code sections 1798.83-1798.84, California residents have the right to request from us a list of all third parties to which we have disclosed personal information during the previous year for direct marketing purposes. Alternatively, the law stipulates that if a business entity maintains a privacy policy that provide users with an “opt-out” mechanism for use of personal information by third parties for their marketing purposes, the business entity may as an alternative provide you with information on how you may opt-out from the use of information by third parties for direct marketing purposes.
We have not shared your personal information with any third party for direct marketing purposes. Should you need this in writing, you can contact us via the information provided later in this Policy.
Padlet does not differentiate or discriminate how we treat our users whether they exercise their rights under the CCPA.
Privacy Shield
Padlet complies with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States. Padlet has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/. No other entities are covered by our certification.
As of July 16, 2020, we no longer rely on the EU-U.S. Privacy Shield to transfer data that originated in the EEA or the UK to the U.S. However, we will continue to honor our commitment to the Privacy Shield Principles.
For EU, Swiss and UK subscribers, Padlet will comply with the Standard Contractual Clauses (“SCC”) as set forth by the provisions of GDPR regarding the collection, use, and retention of personal information from European Union, Switzerland, and the United Kingdom to the United States. If there is any conflict between the terms of this privacy policy and the SCC, SCC shall govern.
Recourse, Enforcement, Liability.
In compliance with the Privacy Shield Principles and the SCCs, Padlet commits to resolve complaints about our collection or use of your personal information. EU and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy or the SCCs should first contact Padlet at [email protected]. Further contact information can be found at the end of this document. Padlet has further committed to cooperate with the panel established by the EU data protection authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved Privacy Shield complaints concerning human resources data transferred from the EU and Switzerland in the context of the employment relationship.
Note that Padlet is subject to investigatory and enforcement powers of the U.S. Federal Trade Commission with respect to personal data.
Changes to This Privacy Policy
We may amend this Privacy Policy from time to time. In case of major changes, we will notify users by email addresses provided to us.
If you don’t agree with any changes to the Privacy Policy, you may terminate your account. By continuing to use the Service after the revised Privacy Policy has become effective, you acknowledge that you accept and agree to the current version of the Privacy Policy.
If you have any questions, concerns, or complaints regarding this Policy or our data processing activities, please contact us by email at [email protected] or write to us at:
Wallwisher, Inc. 981 Mission St San Francisco, CA 94103
Pursuant to Article 27 of the General Data Protection Regulation (GDPR), Padlet has appointed European Data Protection Office (EDPO) as its GDPR Representative in the EU. You can contact EDPO regarding matters pertaining to the GDPR:
- by using EDPO’s online request form: https://edpo.com/gdpr-data-request/
- by writing to EDPO at Avenue Huart Hamoir 71, 1030 Brussels, Belgium
Pursuant to Article 27 of the UK GDPR, Padlet has appointed EDPO UK Ltd as its UK GDPR representative in the UK. You can contact EDPO UK regarding matters pertaining to the UK GDPR:
- by using EDPO’s online request form: https://edpo.com/uk-gdpr-data-request/
- by writing to EDPO UK at 8 Northumberland Avenue, London WC2N 5BY, United Kingdom