Privacy Policy
Last updated:
In this policy, we lay out what data we collect and why, how your data is handled, and your rights with respect to your data.
We never sell your data.
This policy applies to dunningbear.com website ("Dunning Bear"), and other websites owned and operated by Forty Two Technologies, Inc. ("we", "us" or "our").
This policy applies to all users of our website and services, including visitors, potential customers, and account holders (in relation to their procurement of the services and management of their relationship with Dunning Bear). We refer collectively to these categories of individuals as "you" throughout this policy.
What data we collect and why
Our guiding principle is to collect only what we need. Here’s what that means in practice:
Identity and access
When you sign up for Dunning Bear, we ask for identifying information such as your email address, and maybe a personal or company name. That’s so you can personalize your new account, and we can send you product updates and other essential information. We may also send you questions or surveys from time to time to help us understand how you use our product and to make improvements. With your consent, we might send you our newsletter and other updates.
We’ll never sell your personal information to third parties, and we won’t use your name or company in marketing statements without your permission either.
Billing information
If you sign up for a paid account, you will be asked to provide your payment information and billing address. Credit card information is submitted directly to our payment processor and doesn’t hit our servers. We also don't store any billing information except your personal or company name and email address that you provide. We occasionally use the aggregated billing information to guide our marketing efforts.
General Geolocation, Device, Browser, and Log data
IP Addresses. When you use our services, your IP address appears only in our temporary logs. We never store IP addresses permanently. These logs are retained for up to 4 weeks for security and troubleshooting purposes, after which they are automatically deleted.
Device and Browsing Information. We collect and store the following data on our analytics servers, which we control and maintain:
- Device type, screen size, and operating system
- Browser type and version
- Pages you visit and the time and date of your visit
- Country of origin
- Referring website or page
All analytics data is stored and processed on servers under our direct control, ensuring your information doesn't leave our secure environment. Importantly, we don't tie this browsing and usage data to your individual account.
Stripe subscriptions data
To provide our services effectively, we do store some basic information about your Stripe subscription on an ongoing basis. This includes:
- Subscription ID
- Subscription email
- Subscription cancellation date, reason, and feedback
If you delete your account, we will immediately delete all data associated with your account from our active systems. However, please note that it may take up to 90 days for this data to be completely purged from our backup systems.
Voluntary correspondence
When you email Dunning Bear with a question or for help, either directly or through a support window on our websites, we keep that correspondence, including your email address and browser type and version, so we have a history to reference if you contact us in the future.
Data accuracy
We do our best to keep the personal data we collect accurate and up to date. You can usually update your personal information, such as your email address or account name, directly in your account settings. If you need assistance with updating your personal data, please email us at privacy@dunningbear.com, and we will help you. If you notice any errors in your data, let us know so we can correct them.
When we access or disclose your information
To provide products or services you’ve requested. We use third-party subprocessors to help run our applications and provide the Services to you. You can view the list on the Subprocessors page.
We may disclose your information at your direction when you integrate a third-party service into your use of our product.
We don't look at your content except for limited purposes, with your express permission, for example, if an error occurs that stops an automated process from working and requires manual intervention to fix. These are rare cases, and when they happen, we look for root cause solutions as much as possible to avoid them recurring. We may also access your data if required in order to respond to legal process (see “When required under applicable law” below).
To help you troubleshoot or squash a software bug, with your permission. If at any point we need to access your content to help you with a support case, we will ask for your consent before proceeding.
To investigate, prevent, or take action regarding restricted uses. Accessing a customer’s account when investigating potential abuse is a measure of last resort. We want to protect the privacy and safety of both our customers and the people reporting issues to us, and we do our best to balance those responsibilities throughout the process. If we discover you are using our product for a restricted purpose, we will take action as necessary, including notifying appropriate authorities where warranted.
Aggregated and de-identified data. We may aggregate and/or de-identify information collected through the services. We may use de-identified or aggregated data for any purpose, including marketing or analytics.
When required under applicable law. Forty Two Technologies, Inc. is a U.S. company and complies with U.S. laws.
- Requests for user data. Our policy is to not respond to government requests for user data unless we are compelled by legal process or in limited circumstances in the event of an emergency request. However, if U.S. law enforcement authorities have the necessary warrant, criminal subpoena, or court order requiring us to disclose data, we must comply. Likewise, we will only respond to requests from government authorities outside the U.S. if compelled by the U.S. government through procedures outlined in a mutual legal assistance treaty or agreement. It is Dunning Bear’s policy to notify affected users before we disclose data unless we are legally prohibited from doing so, and except in some emergency cases.
- Preservation requests. Similarly, Dunning Bear’s policy is to comply with requests to preserve data only if compelled by the U.S. Federal Stored Communications Act, 18 U.S.C. Section 2703(f), or by a properly served U.S. subpoena for civil matters. We do not disclose preserved data unless required by law or compelled by a court order that we choose not to appeal. Furthermore, unless we receive a proper warrant, court order, or subpoena before the required preservation period expires, we will destroy any preserved copies of customer data at the end of the preservation period.
- If we are audited by a tax authority, we may be required to disclose billing-related information. If that happens, we will disclose only the minimum needed, such as billing addresses and tax exemption information.
Legal Bases for Processing Your Information
Here's why and how we collect and use your information:
To Provide Our Services. We need some of your information to deliver the services you've asked for. For example, we need your email to send you account-related notifications.
For Our Legitimate Interests. Sometimes we use your information to improve our services or to keep things running smoothly. This includes activities such as research, marketing our services, and protecting our legal rights. We make sure that our interests do not override your rights and freedoms. We always strive to use the least amount of data necessary for these purposes.
With Your Permission. For some things, like sending you our newsletter, we'll ask for your consent first.
To Comply with the Law. Sometimes the law requires us to collect and use your information.
You can always change your mind about the permissions you've given us. This won't affect anything we've already done based on your previous consent.
Your rights with respect to your information
At Dunning Bear, we strive to apply the same data rights to all customers, regardless of their location. Some of these rights include:
Right to Know. You have the right to know what personal information is collected, used, shared or sold. We outline both the categories and specific bits of data we collect, as well as how they are used, in this privacy policy.
Right of Access. This includes your right to access the personal information we gather about you, and your right to obtain information about the sharing, storage, security and processing of that information.
Right to Correction. You have the right to request correction of your personal information.
Right to Erasure (Right To Be Forgotten). This is your right to request, subject to certain limitations under applicable law, that your personal information be erased from our possession and, by extension, from all of our service providers. Fulfillment of some data deletion requests may prevent you from using Dunning Bear services because our applications may then no longer work. In such cases, a data deletion request may result in closing your account.
Right to Complain. You have the right to make a complaint regarding our handling of your personal information with the appropriate supervisory authority.
Right to Restrict Processing. This is your right to request restriction of how and why your personal information is used or processed, including opting out of sale of your personal information. (Again: we never have and never will sell your personal data.)
Right to Object. You have the right, in certain situations, to object to how or why your personal information is processed.
Right to Portability. You have the right to receive the personal information we have collected about you and the right to transmit it to another party. If you want to export data from your accounts, you can do so by emailing us at privacy@dunningbear.com.
Right to not Be Subject to Automated Decision-Making. You have the right to object to and prevent any decision that could have a legal or similarly significant effect on you from being made solely based on automated processes. This right is limited if the decision is necessary for performance of any contract between you and us, is allowed by applicable law, or is based on your explicit consent.
We aim to respond to all user requests regarding their personal information within 30 days. For complex requests, we may need up to an additional 60 days, and will notify you if an extension is necessary.
Please note that certain information may be exempt from such requests under applicable law. For example, we need to retain certain information in order to provide our services to you.
In some cases, we need to verify your identity before responding to your request, which may include confirming your name and email address. If we cannot verify your identity, we may be unable to fulfill your request. For questions or assistance, please contact us at privacy@dunningbear.com or at 2093 Philadelphia Pike, #9998, Claymont, DE 19703 USA. If an authorized agent is acting on your behalf, we will need written consent from the account holder.
Depending on applicable law, you may have the right to appeal our decision to deny your request. We will include information on how to exercise this right in our response. You also have the right to lodge a complaint with a supervisory authority. If you are in the EU or UK, you can contact your local data protection authority to file a complaint or learn more about privacy laws.
How we secure your data
All data is encrypted via SSL/TLS when transmitted from our servers to your browser. The database backups are also encrypted. In addition, we use industry-standard practices to secure your data at rest. For more information about how we keep your information secure, please review our Security practices.
In the unlikely event of a data breach compromising your personal information, we will notify you and, where legally required, the relevant authorities without undue delay, ideally within 72 hours. We will inform you via email, detailing the nature of the breach, the data involved, and the steps we are taking. We will also provide guidance on protecting yourself.
What happens when you delete your account
You can delete your account from your account settings. If you choose to delete your account, all your content and personal data will become immediately inaccessible. Your data will be purged from our active databases, and should be completely removed from our backups within 90 days.
Please note that we may retain certain information as required by law or for legitimate business purposes, such as basic account information for legal and tax requirements.
Data retention
We keep your information for the time necessary for the purposes for which it is processed. The length of time for which we retain information depends on the purposes for which we collected and use it and your choices, after which time we may delete and/or aggregate it. We may also retain and use this information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements. Through this policy, we have provided specific retention periods for certain types of information.
Location of website and data
Our marketing website is hosted in the United States. However, all user data and application servers are located within the European Union. This means that your personal information and any data you provide through our services are stored and processed entirely within the EU, in compliance with EU data protection regulations. If you access our marketing website from outside the United States, please be aware that it is subject to U.S. laws, which may differ from those of your country of residence.
Business transfers
If we or our assets are acquired, or in the unlikely event of our business going out of operation or entering bankruptcy, your data may be included among the assets transferred to the acquiring parties. In such a case, we will make reasonable efforts to notify you before your information becomes subject to a different privacy policy. You acknowledge that such transfers may occur, and that any parties who acquire us may continue to use your personal information according to this policy. However, they will be required to adhere to the commitments we've made in this privacy policy.
Limits of our policy
Our website may link to external websites that are not operated by us. Please be aware that we have no control over the content and policies of those websites, and cannot accept responsibility or liability for their respective privacy practices.
Changes to this policy
We may update this policy as needed to comply with relevant regulations and reflect any new practices. If we make significant changes, we will refresh the date at the top of this page. Your continued use of this website 30 days after such notifications will be regarded as acceptance of our updated practices around privacy and personal information. If you do not agree with the changes, you should discontinue using our services. For certain types of data processing, we may seek your explicit consent.
If you have any questions, please get in touch by emailing us at privacy@dunningbear.com.
Acknowledgment
Dunning Bear's Privacy Policy is open source, licensed under CC BY 4.0. Adapted from the Basecamp open-source policies / CC BY 4.0.