Privacy Policy

Last Updated: Jan 30, 2024

Support Bunny (“our”, “us” or “we”), respects your privacy and is committed to protecting it through our compliance with this privacy policy (“Privacy Policy”).
‍
This Privacy Policy applies to information collected by Support Bunny through the Support Bunny Site, any Support Bunny computer software available from the Support Bunny Site ("Support Bunny Software") and any Support Bunny services purchased or otherwise made available from the Support Bunny Site ("Support Bunny Services") (collectively, the "Support Bunny Properties").

This Privacy Policy does not apply to the practices of any third party websites, applications or services that Support Bunny does not own or maintain (collectively, “Third Party Services”) or to any third parties that use the Support Bunny Application Programming Interface (API) to perform any function related to the Support Bunny Properties (“Integrated Platforms”). In particular, this Privacy Policy does not cover any information or other content you can view via the Support Bunny Properties on Integrated Platforms or information you provide to Third Party Services accessed via the Support Bunny Properties. As further detailed below, we cannot take responsibility for the content or privacy policies of any Third Party Services.This Privacy Policy also does not cover any information, recorded in any form, about more than one individual where the identity of the individuals is not known, cannot be inferred from the information, and is not linked or reasonably linkable to an individual, including via a device (“Aggregated Information”). Support Bunny retains the right to use Aggregated Information in any way that it reasonably determines is appropriate.

By using the Support Bunny Services or otherwise providing us with your Personal Information (as defined below), you are accepting the practices described in this Privacy Policy, as they may be amended by us from time to time, and agreeing to our collection and use of your information in accordance with this Privacy Policy. If you do not agree to the collection, use and disclosure of your information in this way, please do not use any of the Support Bunny Properties or otherwise provide Support Bunny with Personal Information.

Please refer to our

Privacy Overview

for additional details regarding how Support Bunny Properties may use your information, including Support Bunny’s use of certain applications and platforms operated by Third Party Services, and how you may export your data.

What information Support Bunny collects from you

Support Bunny collects only the information required to provide products and services to you. The amount of information provided by you and collected by Support Bunny depends on the circumstances. Support Bunny may collect two (2) types of information about you: Personal and Non-Personal.

“Personal Information.” Personal Information means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household, or is otherwise defined as personal information under applicable law. Support Bunny may collect Personal Information when you use the Support Bunny Properties including, without limitation, setting up account information, filling out surveys, corresponding with Support Bunny, or otherwise volunteering information about yourself.
“Non-Personal Information.” Non-Personal Information refers to information that does not meet the definition of Personal Information above. Support Bunny may collect Non-Personal Information through any of the methods discussed above as well as automatically through use of industry standard technologies described further below.

How Support Bunny collects your information

Registration. Prior to using one or more of the Support Bunny Properties, Support Bunny may require you to provide us with certain Personal Information and Non-Personal Information to create an account (“Account”) or to enable features or functionality of the Support Bunny Properties.
Users. Support Bunny may gather Personal Information about organizational representatives via various methods (phone, email, online forms, in-person meetings) but only if such Personal Information is submitted voluntarily. Support Bunny may use such Personal Information for sales, marketing, and support of the Support Bunny Properties. This Personal Information is never shared with third parties other than Third Party Service Providers utilized by a User in connection with Support Bunny Services.
User communications. When you send email or other communications to us, we may retain those communications in order to process your inquiries, respond to your requests and improve the Support Bunny Properties.
Payment Information. When creating an Account, for certain Support Bunny Properties, or when you make online purchases, you may be asked to provide information, which may include your payment instrument number (e.g., credit card), your name and billing address, and the security code associated with your payment instrument (e.g., the CSV) and other financial data (“Payment Information”). We use Payment Information to complete transactions, as well as for the detection and prevention of fraud. When you provide Payment Information while authenticated, we will store that data to help you complete future transactions without your having to provide the information again. We do not, however, retain the security code associated with your payment instrument (e.g., the CSV) in this manner. To remove or modify Payment Information, please contact us. After you close your account or remove Payment Information, however, we may retain your Payment Information for as long as reasonably necessary to complete your existing transaction and for the detection and prevention.
Information Collected Through Technology. Support Bunny automatically collects and receives certain information from your computer or mobile device, including the activities you perform on the Support Bunny Site, the Support Bunny Software and the Support Bunny Services, the type of hardware and software you are using (for example, your operating system or browser), and information obtained from cookies (see below). If you have an Account, we may link this Non-Personal Information to your Account to better understand your needs and the needs of Users in the aggregate, diagnose problems, analyze trends, provide services, improve the features and usability of the Support Bunny Properties, and better understand and market to our customers and Users.
We use technology to automatically gather information by the following methods:
- Cookies. Support Bunny uses cookies on the Support Bunny Site and other aspects of the Support Bunny Properties. Cookies, including local shared objects, are small pieces of information that are stored by your browser on your computer's hard drive which work by assigning to your computer a unique number that has no meaning outside of the Support Bunny Properties. Most web browsers automatically accept cookies, but you can usually configure your browser to prevent this. Not accepting cookies may make certain features of the Support Bunny Properties unavailable to you.
- IP Address. You may visit many areas of the Support Bunny Site anonymously without the need to become a registered User. Even in such cases, Support Bunny may collect IP addresses automatically. An IP address is a number that is automatically assigned to your computer whenever you begin services with an Internet services provider. Each time you access the Support Bunny Site and each time you request one of the pages of the Support Bunny Site, the server logs your IP address.
- Web Beacons. Web beacons are small pieces of data that are embedded in web pages and emails. Support Bunny may use these technical methods in HTML emails that Support Bunny sends to Users to determine whether they have opened those emails and/or clicked on links in those emails. The information from use of these technical methods may be collected in a form that is Personal Information.
- Tracking Content Usage. If you use the Support Bunny Services and you post audio visual materials including, without limitation, videos, links, logos, artwork, graphics, pictures, advertisements, sound and other related intellectual property contained in such materials (collectively, “Content”) to your website or to a third party website, Support Bunny tracks and captures information associated with User accounts and the use of Content by those that access your Content.
Information You Provide About a Third Party. You may have the opportunity to communicate with others from the Support Bunny Properties, such as by sending an invitation to a friend. If you choose to take advantage of this functionality, we may ask you to provide us with certain information about the person with whom you wish to communicate (e.g., name, email address, etc.). Support Bunny collects such information for the purposes of facilitating the requested communication, which may contain a specific promotional message from you (e.g., an invitation to watch a video). Unless we explicitly say otherwise, Support Bunny will not use this information for other marketing purposes without first obtaining consent from the person to whom the relevant information pertains. Please be aware that when you use any invitation functionality on the Support Bunny Properties, your email address, name or username, and message may be included in the communication sent to your addressee(s).

How Support Bunny uses your information

Personal Information. Support Bunny identifies the purpose for which your Personal Information is collected and will be used or disclosed. If that purpose is not listed below, we will identify any additional purposes for which we will collect your Personal Information, before or at the time of collection, and we will obtain your consent to collect, use or disclose your Personal Information for such additional purpose(s).
By using the Support Bunny Properties, you will be deemed to consent to our use of your Personal Information for the purposes of:
- communicating with you generally;
- processing your purchases;
- processing and keeping track of transactions and reporting back to you;
- protecting against fraud or error;
- providing information or services requested by you;
- administering and managing the Support Bunny Properties and our business operations;
- personalising your experience with the Support Bunny Site, as well as evaluating statistics on Support Bunny Site activity;
- performing statistical analyses of your behavior and characteristics, in order to measure interest in and use of the various sections of the Support Bunny Site;
- communicating with you on other websites;
- email gating;
- delivery of content and information to Third Party Services Providers;
- complying with legal and governmental requirements; and/or
- fulfilling any other purpose that would be reasonably apparent to the average person at the time that we collect it.
Users utilize Support Bunny Properties to manage and deliver Content to Viewers. As part of this process, Support Bunny may collect Personal Information from you.
Otherwise, we will obtain your express consent (by verbal, written or electronic agreement) to collect, use or disclose your Personal Information. You can change your consent preferences at any time by contacting us (see the “How to Access, Change and Erase Your Personal Information” section below).
Support Bunny extends the rights granted to “data subjects” under the General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR”) to all of its Users. Consequently, you have the right to withdraw your consent to our processing of your Personal Information at any time (if our processing is based on consent) and the right to object to our processing of your Personal Information (if processing is based on legitimate interests).
Non-Personal Information. Support Bunny may use Non-Personal Information for the following purposes:
- System Administration: Support Bunny may use Non-Personal Information for the purposes of system administration, assisting in diagnosing problems with Support Bunny servers, monitoring Support Bunny's system performance and traffic on the Support Bunny Properties and to gather broad demographic information about Support Bunny Users.
- Personalisation: Support Bunny uses cookies and IP addresses to track features such as delivering Content specific to your interests and informing you of new, relevant services or certain third party offerings.

Personal Information. Support Bunny identifies the purpose for which your Personal Information is collected and will be used or disclosed. If that purpose is not listed below, we will identify any additional purposes for which we will collect your Personal Information, before or at the time of collection, and we will obtain your consent to collect, use or disclose your Personal Information for such additional purpose(s).
By using the Support Bunny Properties, you will be deemed to consent to our use of your Personal Information for the purposes of:
- communicating with you generally;
- processing your purchases;
- processing and keeping track of transactions and reporting back to you;
- protecting against fraud or error;
- providing information or services requested by you;
- administering and managing the Support Bunny Properties and our business operations;
- personalising your experience with the Support Bunny Site, as well as evaluating statistics on Support Bunny Site activity;
- performing statistical analyses of your behavior and characteristics, in order to measure interest in and use of the various sections of the Support Bunny Site;
- communicating with you on other websites;
- email gating;
- delivery of content and information to Third Party Services Providers;
- complying with legal and governmental requirements; and/or
- fulfilling any other purpose that would be reasonably apparent to the average person at the time that we collect it.
Users utilize Support Bunny Properties to manage and deliver Content to Viewers. As part of this process, Support Bunny may collect Personal Information from you.
Otherwise, we will obtain your express consent (by verbal, written or electronic agreement) to collect, use or disclose your Personal Information. You can change your consent preferences at any time by contacting us (see the “How to Access, Change and Erase Your Personal Information” section below).
Support Bunny extends the rights granted to “data subjects” under the General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR”) to all of its Users. Consequently, you have the right to withdraw your consent to our processing of your Personal Information at any time (if our processing is based on consent) and the right to object to our processing of your Personal Information (if processing is based on legitimate interests).
Non-Personal Information. Support Bunny may use Non-Personal Information for the following purposes:
- System Administration: Support Bunny may use Non-Personal Information for the purposes of system administration, assisting in diagnosing problems with Support Bunny servers, monitoring Support Bunny's system performance and traffic on the Support Bunny Properties and to gather broad demographic information about Support Bunny Users.
- Personalisation: Support Bunny uses cookies and IP addresses to track features such as delivering Content specific to your interests and informing you of new, relevant services or certain third party offerings.

How to access, change and erase your personal information

Upon request, Support Bunny will allow Users to update or correct Personal Information previously submitted, but only to the extent such activities will not compromise privacy or security interests. Additionally, upon request, Support Bunny will delete Personal Information from the database where such information is stored; however, it may be impossible to entirely delete a User’s entry without some residual information being retained due to the manner in which data backups are maintained. Requests to delete Personal Information may be submitted to privacy@Support Bunny.so

Users also have the right to receive their Personal Information from us in a structured, commonly used and machine-readable format, and the right to transmit their Personal Information to another controller without hindrance from us (data portability).

Email preferences

Support Bunny may use your Personal Information to send you emails periodically listing promotions or events relating to the Support Bunny Properties. You have the choice to opt-out of receiving such promotional emails by sending an email to privacy@Support Bunny.so and/or following the instructions in such correspondence. OnceSupport Bunny's has processed your opt-out request, Support Bunny will not send you promotional emails unless you opt back in to receiving such communications.

Disclosure of information to third parties

Except as described below, we do not sell, transfer or otherwise disclose, sell, trade, or otherwise transfer your Personal Information to outside parties. This statement does not include trusted third party service providers who assist us in administering and providing the Support Bunny Properties or provide services to us. Examples include storing and managed Content, analyzing data, providing marketing assistance, integrations of Third Party Services such as CRM and MAP services, processing credit card payments, and providing customer service. These third party service providers will have access to Personal Information needed to perform their functions, but may not use it for other purposes, and they are subject to appropriate agreements with Support Bunny and/or its Users to secure and protect the confidentiality of your Personal Information.

We may use service providers located outside of the United States, and, if applicable, your Personal Information may be processed and stored in other countries and therefore may be subject to disclosure under the laws of those countries. You explicitly consent and agree to such transfer, storing and/or processing of your Personal Information outside of the United States or other country in which you are located.

We may share Payment Information with third parties for purposes of fraud prevention or to process payment transactions.

We may also release your information when we believe release is appropriate to comply with the law, enforce our policies, or protect our or others’ rights, property or for safety. We may also provide non-Personal Information to other parties for marketing, advertising or other uses.

Information, including Personal Information, is considered to be a business asset. As a result, in the unlikely event that we go out of business, enter bankruptcy or if we are acquired as a result of a transaction such as a merger, acquisition or asset sale, your Personal Information may be disclosed or transferred to the third-party acquirer in connection with the transaction.

We may also share information related to your account with your employer or organization if you have an individual Support Bunny account and your account email domain is owned or managed by your employer or organization.

Lastly, we may provide Users with certain usage information directly related to the videos and/or other Content that they make available through the Support Bunny Properties. Such information may include who watched a particular Content (if the viewer is logged into Support Bunny), which Content of a particular User was watched, and how many times a particular Content was watched.

Under certain exceptional circumstances, Support Bunny may have a legal duty or right to collect, use or disclose your Personal Information without your knowledge or consent. In accordance with applicable laws, We will not disclose any consumer information (which may include Personal Information) without your written consent, except where consumer information is required to be disclosed: (i) for billing or market operation purposes; (ii) for law enforcement purposes; or (iii) for the purpose of complying with a legal requirement.

When you create an account using a corporate email domain belonging to your employer or other organization, the organization may be able to (1) access information in and about the account, including your Personal Information; (2) disclose, restrict or access Content posted in connection with the account; and (3) control how the account is accessed or deleted.

You consent to disclosure of your information for the above purposes.

Safeguarding your personal information

Support Bunny takes appropriate security measures to protect against unauthorized access, alteration, disclosure or destruction of Personal Information. These include, but are not limited to, internal reviews of: (a) Support Bunny's data collection; (b) storage and processing practices; (c) electronic security measures; and (d) physical security measures to guard against unauthorized access to systems where Support Bunny stores Personal Information.

Unfortunately, no data transmission over the internet can be guaranteed to be 100% secure. As a result, while we are committed to protecting your Personal Information, we cannot ensure or warrant the security of any information you provide to us.

All Support Bunny employees who access Personal Information are bound by confidentiality obligations and may be subject to discipline, including termination and criminal prosecution or unauthorized use or disclosure of Personal Information.

Some or all of the Personal Information we collect may be stored or processed on servers located outside your jurisdiction of residence, whose data protection laws may differ from the jurisdiction in which you live. As a result, this information may be subject to access requests from governments, courts, or law enforcement in those jurisdictions according to laws in those jurisdictions.

Retention of information

Support Bunny retains the Personal Information that we collect about you for as long as reasonably necessary for the purposes set out in this Privacy Policy. We also may retain your Personal Information for a longer period of time on the basis of our legitimate interests in providing or marketing our services to you or as necessary to comply with our legal obligations, to resolve disputes, and to enforce our agreements. Even if we delete some or all of your Personal Information, we may continue to retain and use information that has been aggregated or anonymised so that it can no longer be used for personal identification.

Children and students

Support Bunny takes the privacy of children and students extremely seriously. Personal information we collect through the Support Bunny Services may be subject to the Children’s Online Privacy Protection Act (“COPPA”) and/or the Family Educational Rights and Privacy Act (“FERPA”).

COPPA Compliance. COPPA requires that operators of websites and online services that collect the personal information of children under 13 years of age (i) inform parents and legal guardians about their practices for collecting, using and disclosing such personal information and (ii) obtain verifiable consent from parents and legal guardians for doing so. We only collect personal information through the Support Bunny Services from a child under 13 if that student’s school, school district or teacher has agreed to obtain parental consent for that child to use the Support Bunny Services and disclose personal information to us for purposes of providing the Support Bunny Services, or we have directly obtained such parental consent.

If you are a student under 13, please do not send any personal information about yourself to us if your school, school district or teacher has not obtained this prior consent from your parent or guardian, or we have not obtained such consent, and please do not send any personal information other than what we request from you in connection with the Support Bunny Services. If we learn we have collected personal information from a student under 13 without parental consent having been obtained, or if we learn a student under 13 has provided us personal information beyond what we request from him or her, we will delete that information as quickly as possible. If you believe that a student under 13 may have provided us with personal information in violation of this Privacy Policy, please contact us at privacy@Support Bunny.so

FERPA Compliance. FERPA protects personally identifiable information contained in students’ education records from unauthorized disclosure. Consistent with FERPA, we will only use education records, as defined under FERPA, for the purpose of providing agreed services to a school, school district or teacher. We will never share or sell FERPA-protected information, or use it for any other purposes, except as otherwise directed or permitted by the school, school district or teacher. If a parent or eligible student requests access to education records that are hosted on our servers, we will help facilitate such access.

EU and Swiss Privacy Shield Frameworks

Support Bunny complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of Personal Information transferred from European Union member countries (as well as Iceland, Liechtenstein, and Norway), the United Kingdom ("UK") and Switzerland transferred to the United States in reliance on the Privacy Shield. Support Bunny has certified that it adheres to the Privacy Shield Principles with respect to such Personal Information. If there is any conflict between the policies in this Privacy Policy and data subject rights under the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification page, please visit www.privacyshield.gov

With respect to Personal Information received or transferred pursuant to the Privacy Shield Frameworks, Support Bunny is subject to the regulatory and enforcement powers of the U.S. Federal Trade Commission.

Types of EU, UK and Swiss Personal Information Collected. Our participation in the Privacy Shield applies to all Personal Information that is subject to this Privacy Policy and is received from the European Union and European Economic Area, the UK and Switzerland. We will comply with the Privacy Shield Principles with respect to all EU, UK and Swiss Personal Information. We may collect employment-related Personal Information regarding our employees located in the EU, the UK and Switzerland.

Purposes of EU, UK and Swiss Personal Information Collection and Use. We will only process EU, UK and Swiss Personal Information in ways that are compatible with the purpose for which we collected the EU, UK and Swiss Personal Information, or for purposes that the individual or entity providing the EU, UK and Swiss Personal Information later authorizes.

Pursuant to the Privacy Shield Frameworks, EU, UK and Swiss individuals have the right to obtain our confirmation of whether we maintain Personal Information relating to you in the United States. Upon request, we will provide you with access to the Personal Information that we hold about you. You may also correct, amend, or delete the Personal Information we hold about you. An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data transferred to the United States under Privacy Shield, should direct their query to privacy@Support Bunny.so. If requested to remove data, we will respond within a reasonable timeframe.

We will provide an individual opt-out choice, or opt-in for sensitive data, before we share your data with third parties other than our agents, or before we use it for a purpose other than which it was originally collected or subsequently authorized. To request to limit the use and disclosure of your Personal Information, please submit a written request to privacy@Support Bunny.so

In certain situations, we may be required to disclose Personal Information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Support Bunny’s accountability for Personal Information that it receives in the United States under the Privacy Shield and subsequently transfers to a third party is described in the Privacy Shield Principles. In particular, Support Bunny remains responsible and liable under the Privacy Shield Principles if third-party agents that it engages to process the Personal Information on its behalf do so in a manner inconsistent with the Principles, unless Support Bunny proves that it is not responsible for the event giving rise to the damage.

In compliance with the Privacy Shield Principles, Support Bunny commits to resolve complaints about your privacy and our collection or use of your Personal Information transferred to the United States pursuant to Privacy Shield. European Union and Swiss individuals with Privacy Shield inquiries or complaints should first contact Support Bunny by email at privacy@Support Bunny.so or via post at:

Support Bunny, Inc. 40 b rue de Sévigné, 75003 Paris, France.

Support Bunny has further committed to refer unresolved privacy complaints under the Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU PRIVACY SHIELD, operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbb.org/EU-privacy-shield/for-eu-consumers for more information and to file a complaint. This service is provided free of charge to you.

Support Bunny commits to cooperate with the EU data protection authorities (DPAs), the UK Information Commissioner and the Swiss Federal Data Protection and Information Commissioner (FDPIC) and comply with the advice given by such authorities with regard to human resources data transferred from the EU, the UK and/or Switzerland, as applicable, in the context of the employment relationship with Support Bunny.

If your Privacy Shield complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See Privacy Shield Annex 1 here

California residents

California law grants additional privacy rights to California residents. In particular, the California Consumer Privacy Act (CCPA) requires businesses to disclose, for the past 12 months, (i) the categories of personal information collected, (ii) the sources of the collected personal information, (iii) the purposes for which the collected personal information is used, (iv) the categories of personal information disclosed for a business purpose, and (v) the categories of any personal information sold. Support Bunny provides these disclosures in the following table. Support Bunny has not sold personal information in the past 12 months.

Category: Identifiers
‍Sources of Collection: Website visits and registration for Support Bunny Services
‍Purposes of Collection: To allow use of Support Bunny Services and to enable Support Bunny to communicate with you
‍Disclosures for a Business Purpose: To Support Bunny service providers for the purpose of providing Support Bunny Services to you
‍Category: Personal information categories listed in the California Customer Records statute
‍Sources of Collection: Registration for Support Bunny Services
‍Purposes of Collection: Credit card information to permit payment for premium Support Bunny Services
‍Disclosures for a Business Purpose: To Support Bunny service providers to facilitate payment transactionsCategory: Internet or other similar network activity
‍Sources of Collection: Your browsing and search history on the Support Bunny Site
‍Purposes of Collection: To improve the visitor experience on the Support Bunny Site, diagnose server problems and administer the Support Bunny Site
‍Disclosures for a Business Purpose: To marketing specialist companies for the purpose of enhancing the Support Bunny Site and improving the effectiveness of our advertising

California residents also have the rights described below. We will not discriminate against any California resident who exercises these rights.

Right to access/know. You may request from us a list of (i) the personal information that we have collected about you, and (ii) the categories of third parties to whom we have disclosed your personal information. You have the right to up to two (2) access requests each twelve (12) months.

Right to delete your personal information. You may request, at any time, that we delete your personal information.

You may contact us to exercise these rights at privacy@Support Bunny.so. To ensure the privacy and protection of individuals, we are required to verify your identity or otherwise authenticate your request(s). Please note that, under the CCPA, we are not required to grant a request to access/know or a request to delete with respect to personal information obtained from you in your role as an employee, owner, director, officer or contractor of a company and within the context of Support Bunny providing the Support Bunny Services to such company.

Third Party Websites and Services

The Support Bunny Properties may contain links to third party websites or services, including Third Party Services, (collectively, “Third Party Sources”) who may collect Personal Information and Non-Personal Information directly from you. Links to Third Party Sources are intended for convenience only. Third Party Sources are wholly independent from Support Bunny. Third Party Source may have separate privacy policies and data collection practices, independent of Support Bunny. Support Bunny: (a) has no responsibility or liability for these independent policies or actions; (b) is not responsible for the privacy practices or the content of such websites; and (c) does not make any warranties or representations about the contents, products or services offered on such websites or the security of any information you provide to them.

Changes to this Privacy Policy

The terms in this Privacy Policy may be changed from time to time, so you should review it periodically for changes. We reserve the right, at any time, to modify or replace this Privacy Policy. The date of the most recent version of the Privacy Policy is noted below under “Effective Date of this Privacy Policy.” We may also notify you via email or other direct electronic communication method of any changes that, in our sole discretion, materially impact your use of the Support Bunny Properties or the treatment of your Personal Information. Your use of the Support Bunny Properties following the posting of any changes to the Privacy Policy constitutes acceptance of those changes.

How to contact us

If you have any questions or concerns about this Privacy Policy or our privacy practices, you may contact us directly as follows:
Email us at: privacy@Support Bunny.so, or write at: Support Bunny, 40 b rue de Sévigné, 75003 Paris, France.
If you are a resident of the European Union, and you believe that our processing of your Personal Information is inconsistent with your data protection rights under the GDPR and we have not adequately addressed your concerns, you have the right to lodge a complaint with the data protection supervisory authority of your country. Current list of National Data Protection Authorities and members of the European Data Protection Board found here.

Data Processing Addendum

This Data Processing Agreement forms an addendum to the Terms of Use between Support Bunny and Customer for the purchase ofServices, including any and all applicable Order Form(s), Purchases, exhibits and/or schedules (the “Agreement”).

In the course of providing the Services toCustomer pursuant to the Agreement, Support Bunny may Process Personal Data on behalfof Customer. This DPA reflects the parties’ agreement with regard to theProcessing of Personal Data.

The Parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.

Definitions

All capitalized terms not defined here in shall have the meaning ascribed to them in the Agreement. In this DPA, the following capitalized terms used shall further have the meanings given to them below:

The terms “Data Controller” and “DataProcessor” shall have the meaning ascribed by the GDPR. The terms “DataSubject”, “Personal Data” and “Process, Processing” shall have the meaningascribed by the GDPR, but shall only cover the scope of personal data processingspecified in Exhibit A of this DPA. However, in case that the Applicable DataProtection Laws define these terms differently and the GDPR does not apply tothe Processing, the definition set forth by the Applicable Data Protection Laws shall apply instead of the definition ascribed by the GDPR. In case that theApplicable Data Protection Laws define these terms differently and the GDPR applies to the Processing, the definition provided in the GDPR will prevail. Incase the Applicable Data Protection Laws define terms, which have the same or materially similar meaning to the terms “Data Controller”, “Data Processor”, “Data Subject”, “Personal Data”and/or “Process, Processing”, such terms will be considered as covered correspondingly by the definitions provided herein.

The terms "Business AssociateAgreement", "Covered Entity" and "Protected HealthInformation" shall have the meaning ascribed by HIPAA and shall be interpreted in accordance with relevant regulations issued by the U.S. Department of Health and Human Services.

“Admin User Email Address” means every email address associated with the Customer’s account with Support Bunny in the way that it is, at the given point of time, registered by Support Bunny as an email address of an admin user of the Customer’s account.

“Applicable Data Protection Laws” means alldata protection laws and regulations applicable to the Processing of PersonalData under this DPA, which may, depending on the circumstances, include but not be limited to the European Data Protection Laws and/or HIPAA, as defined below.

“Data Breach” means a personal data breach concerning Personal Data, which is likely to result in a risk to the rights and freedoms of the Data Subjects.

“EEA” means the European Economic Area.

“EU GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

“European Data Protection Laws” means the GDPR and/or the FADP, as applicable to the Personal Data Processing inquestion.

“FADP” means the Federal Act on DataProtection adopted by the Federal Assembly of the Swiss Confederation, as amended.

“GDPR” means the EU GDPR and/or the UKGDPR, as applicable to the Personal Data Processing in question.

"HIPAA" means the United States’Health Insurance Portability and Accountability Act of 1996.

”EU Standard Contractual Clauses for DataTransfers to Third Countries” means the standard contractual clauses as approved by the European Commission’s decision 2021/915 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to the EU GDPR, and any amendments thereto.

”Subprocessor” means any legal entity, including a subcontractor, engaged by Support Bunny to Process all or part of thePersonal Data for Support Bunny on behalf of the Customer.

“UK GDPR” has the meaning given to it insection 3(10) of the UK Data Protection Act 2018.

“UK International Data Transfer Addendum”means the International Data Transfer Addendum to the EU Standard Contractual Clauses, issued by the Information Commissioner and laid before Parliament in accordance with s.119A of the UK’s Data Protection Act 2018 on 2 February 2022 and any amendments thereto.

1. Application of data protection laws and terms

Compliance with Applicable Data Protection Laws. The Customer hereby represents that this DPA complies, to its reasonable knowledge, with all Applicable DataProtection Laws and contains all provisions required by such laws. Considering the nature of the Services, the Customer acknowledges that the Processing ofPersonal Data under this DPA may be subject to various Applicable DataProtection Laws, even those which are not explicitly mentioned in this DPA, depending on the territorial extent of Customer’s usage of the Services. TheCustomer is responsible for informing Support Bunny without undue delay about any discrepancy between this DPA and the requirements of the Applicable DataProtection Laws.
Applicability of the European Data Protection Laws, roles of the Parties. The parties acknowledge that GDPR applies to the Processing ofPersonal Data if and to the extent conditions set forth by Art. 3 of the GDPRare fulfilled. The parties further acknowledge that the FADP applies to theProcessing of Personal Data if and to the extent conditions set forth by theFADP are fulfilled. To the extent the European Data Protection Laws apply to the Processing of Personal Data under this DPA, the Customer may act as a DataController and/or a Data Processor and Support Bunny acts as a Data Processor. Where the Customer acts as a Data Processor and engages Support Bunny as another Data Processor in accordance with Art. 28(4) of the GDPR, the Customer:
‍
a) Is responsible for ensuring that the same data protection obligations as set out in the contract or other legal act between the Customer and the Data Controller of the Personal Data are hereby imposed on Support Bunny;

b) Is responsible for ensuring that the instructions provided by the Customer to Support Bunny under Section 2.4 of this DPA do not violate the contract or other legal act between the Customer and the Data Controller of the Personal Data;

c) Assumes the rights and responsibilities of Data Controller towards Support Bunny under this DPA, therefore whenever this DPA refers to a “Data Controller”, such reference shall equally refer to theCustomer, and vice versa;
‍
Applicability of HIPAA. The Customer understands and agrees that it must separately enter into and execute a Business Associate Agreement (“BAA”) if (1) Customer qualifies asa Covered Entity or Business Associate and (2) Customer will make ProtectedHealth Information available to Support Bunny in connection with performing theAgreement, to the extent such Protected Health Information is collected from patients in the United States and its territories and possessions. Where the partie shave entered into a BAA, the BAA shall take precedence over this DPA with respect to any Protected Health Information collected from patients in theUnited States and its territories and possessions.

2. Processing of personal data

Customer’s Processing of Personal Data. Customer determines the purposes and means of the Processing of Personal Data. Customer’s instructions for the Processing of Personal Data shall comply with Applicable DataProtection Laws.
Customer’s liability. The Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data provided by the Customer to Support Bunny and the means by which Customer acquired such Personal Data. To the extent the European DataProtection Laws apply to the Processing of Personal Data under this DPA, theCustomer is liable for complying with its obligations as Data Controller, including informing the Data Subjects about the Processing of their PersonalData under this DPA, obtaining their consent, if necessary, and ensuring that the Customer and Support Bunny have the authority to use the Personal Data in accordance with the purposes defined herein.
Customer’s Instructions. Customer instructs Support Bunny to Process Personal Data for the provision ofServices, as specified in more detail in Exhibit A hereof. The Parties agree that this DPA, the Agreement, instructions provided via configuration tools incorporated in Support Bunny’s platform and instruction provided via Support Bunny’s dedicated customer support portal constitute Customer’s complete and final instructions to Support Bunny for the Processing of Personal Data. Any additional or alternate instructions must be agreed upon separately in writing.
Obligations of Support Bunny. To the extent set forth by the Applicable Data Protection Laws, Support Bunny agrees, warrants and represents that it:

a) Ensures that persons authorized to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; further, Support Bunny shall only allow access to the Personal Data to such of the Support Bunny’s personnel who need access to the Personal Data in order to allow Support Bunny to perform its obligations under the Agreement;

b) Informs immediately the Customer if, to Support Bunny’s knowledge, an instruction infringes the Applicable Data ProtectionLaws;

c) Takes all measures to ensure the confidentiality of Personal Data and the security of Processing, as further specified in Section 3 hereof;

d) Assists the Customer in ensuring compliance with the obligations relating to the security of the Personal Data (as further specified in Section 3 hereof), Customer’s notification &communication obligations in case of Data Breach (as further specified in Section 7 hereof), conducting data protection impact assessments (or a similar assessment as designated by the Applicable Data Protection Laws) and consulting the supervisory authority if need be, taking into account the nature of Processing and the information available to Support Bunny; and

e) Makes available to the Customer on a reasonable basis all information necessary to demonstrate compliance with the obligations relating to Support Bunny as laid down in this DPA and in the ApplicableData Protection Laws, if applicable.

3. Security of Personal Data

Technical and Organizational Measures. Support Bunny shall, while taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of Processing as well as the risks of varying likelihood and severity for rights and freedoms of Data Subjects resulting from the Processing, implement appropriate technical and organizational measures listed in Exhibit B.
Reviews and Updates. The technical and organizational measures shall be reviewed and updated by Support Bunny where and when necessary. The Customer agrees that Support Bunny may unilaterally update the technical and organizational measures from time to time provided that such updates do not result in a material reduction of the level of protection of the Personal Data. Support Bunny’s obligation under Section 3.1 hereof remains unaffected.
Information. Support Bunny will provide the Customer with more information about securing, accessing and using Personal Data, anytime upon Customer's request.

4. Rights of Data Subjects and Other Reulatory Actions

. Data subjects’ right to information. It is the Customer's responsibility to provide the Data Subjects with the information on the processing of their Personal Data.
Exercise of data subjects’ rights. To the extent set forth by the Applicable Data Protection Laws,Support Bunny shall assist the Customer, insofar as this is possible, for the fulfilment of its obligation to respond to Data Subject right requests concerning notably the right of access, to rectification, erasure and to object, right to restriction of processing, right to data portability, right not to be subject to an automated individual decision (including profiling).
Regulatory Action. If Support Bunny receives notice (whether or not from the Customer) of, any claim, complaint, request, direction, query, investigation, proceeding or other action of any Data Subject, court, regulatory or supervisory authority, or any body, organization or association in each case which relates in any way to the Personal Data Processed by Support Bunny under this DPA (collectively,“Regulatory Action”), then Support Bunny shall, if and to the extent required by theApplicable Data Protection Laws:

a) Notify the Customer via email sent tothe Admin User Email Address with reasonable detail of the Regulatory Action,including copies of any relevant correspondence so that the Customer can dealwith the Regulatory Action;

b) Provide the Customer with reasonable cooperation and assistance by appropriate technical and organizational measures with respect to any Regulatory Action; and

c) Not answer to a Regulatory Action, unless instructed otherwise by the Customer in writing or unless Support Bunny is required to answer under the Applicable Data Protection Laws.

5. Subprocessors

List of Subprocessors. Customer agrees that Support Bunny engages Subprocessors in connection with the provision of Support Bunny’s Services and that the list of the Subprocessors currently engaged by Support Bunny is listed on Support Bunny’s website. Therefore, by entering to this DPA, Customer authorizes Support Bunny to engage the Subprocessors mentioned in this list. Note that not all Subprocessors may be engaged, depending on the data storage location of your Support Bunny account.
General authorization. By executing the DPA, the Customer further grants Support Bunny with a general authorization to engage other Subprocessors, add or replace the Subprocessors in the list. In case the list of Subprocessors is modified bySupport Bunny, Customer will be informed of any intended changes via email to theAdmin User Email Address. This information will clearly indicate which processing activities are being subcontracted out, the name and contact details of the intended subprocessor.
Objections. To the extent Applicable Data Protection Laws grants Customer the right too bject against intended modifications concerning the addition or replacement of the Subprocessors, the Customer may reasonably object to such modification. Incase Customer does not send any objection to Support Bunny in writing within thirty (30)days from receiving the information, it will be deemed to have agreed to the new Subprocessors. If Customer objects, the Parties agree to negotiate to find a solution that will satisfy both Parties’ interests.
Same obligations. Where Support Bunny engages another Subprocessor, it shall do so by way of a contract which imposes on the Subprocessor the same obligations as the ones imposed on Support Bunny under this DPA. Support Bunny shall ensure that the Subprocessor complies with the obligations to which the data processor is subject pursuant to this DPA and the Applicable Data Protection Laws.
Subprocessor agreements. To the extent required by the Applicable Data Protection Laws and permitted by Support Bunny’s confidentiality obligations, Support Bunny may provide, at the Customer’s request, a copy of such a Subprocessor agreement and subsequent amendments to the Customer.
Liability. To the extent set forth by the Applicable Data Protection Laws, Support Bunny shall be liable towards the Customer for the acts and omissions of its Subprocessors to the same extent Support Bunny would be directly liable if performing the Services of each Subprocessor directly under the terms of this DPA.

6. International Data Transfers

Locations of Processing. Support Bunny hereby represents that it will Process Personal Data under thisDPA exclusively in the country of Support Bunny’s residence and in the countries designated in the list of Support Bunny’s Subprocessors maintained under Section 5.1hereof.
European Personal Data transfers subject to appropriate safeguards. The locations described is Section 6.1 herein above may include countries located outside the EEA, UK and Switzerland and, for the purposes of the applicable European DataProtection Law, (i) have not been recognized by the relevant authority as providing an adequate level of protection for personal data (as described in the applicable European Data Protection Law) or (ii) are not covered by a suitable framework recognized by the relevant authorities or courts as providing an adequate level of protection for personal data (“Locations Subject to Appropriate Safeguards”). Where the Processing of Personal Data is subjectto the European Data Protection Law, the Parties shall not transfer PersonalData to any Location Subject to Appropriate Safeguards, unless the Parties have taken measures necessary to ensure that the transfer complies with the applicable European Data Protection Law.
EEA and Swiss Personal Data transfers to Support Bunny. Where the Processing of Personal Data consists of or includes a transfer of Personal Data from the Customer, whose activities are subject to the EU GDPR or the FADP, to Support Bunny, who is in aLocation Subject to Appropriate Safeguards and whose activities are not subject to the EU GDPR or the FADP, the EU Standard Contractual Clauses for DataTransfers to Third Countries will apply and are hereby incorporated to thisDPA. If necessary, Support Bunny shall apply supplementary measures to ensure that thePersonal Data transferred hereunder receives an essentially equivalent protection as that guaranteed in its original jurisdiction. For the purposes of the EU Standard Contractual Clauses for Data Transfers to Third Countries hereunder:

a) The Customer acts as a data exporter andSupport Bunny acts as a data importer;

b) Where the Customer acts as a DataController, Module 2: Transfer controller to processor will apply;

c) Where the Customer acts as a DataProcessor, Module 3: Transfer processor to processor will apply;

d) Clause 7 – Optional - Docking clause, will apply;

e) In Clause 9 – Use of sub-processors,Option 2 will apply, and the period for prior notice of sub-processor changes shall be ten (10) business days;

f) In Clause 11 - Redress, the optional language will not apply;

g) In Clause 12 - Liability, any claims brought under the EU Standard Contractual Clauses for Data Transfers to ThirdCountries shall be subject to the terms and conditions set forth in thisAgreement, whereby in no event shall any Party limit its liability with respect to any Data Subject rights under the EU Standard Contractual Clauses for DataTransfers to Third Countries;

h) In Clause 17 – Governing law, Option 1will apply, the clauses will be governed by the laws of France;

i) In Clause 18(b) - Choice of forum and jurisdiction, disputes shall be resolved before the courts of France;

j) Annex I(a) – List of Parties, shall be deemed completed with the following information:

i) The names and addresses of the data exporter and the data importer: as identified in the Agreement;
ii) The contact details of the data importer: the Admin User Email Address;
iii) The contact details of the data exporter: privacy@Support Bunny.io;
iv) Activities relevant to the data transferred under these Clauses: identified in the list of Subprocessors (Section5.1 of the DPA);
v) Signature and date: detailed in theAgreement;

k) Annex I(b) – Description of Transfer, shall be deemed completed with the following information:
‍
i) Categories of data subjects whose personal data is transferred, purpose(s) of the data transfer and further processing and the period for which the personal data will be retained:detailed in Exhibit A of the DPA;
ii) Categories of personal data transferred: detailed in Exhibit A of the DPA;
iii) The frequency of the transfer:Personal data is transferred on a continuous basis;
iv) Subject matter, nature and duration of the processing or transfers to subprocessors: identified in the list of Subprocessors (Section 5.1 of the DPA);
v) Signature and date: detailed in theAgreement;

l) For the purposes of Annex I(c) –Competent Supervisory Authority, the competent supervisory authority in accordance with Clause 13 of the EU Standard Contractual Clauses for DataTransfers is the Commission nationale de l'informatique et des libertés (CNIL);

m) Annex II – Technical and Organizational Measures including Technical and Organizational Measures to Ensure the Security of the Data, shall be deemed completed with the information inserted in ExhibitB of this DPA; and

n) For the purposes of Annex III - List ofSub-processors, the data exporter has authorised the use of the Subprocessors detailed in Section 5.1 of the DPA and the list of Subprocessors referred to therein.
UK Personal Data transfers to Support Bunny. Where the Processing of Personal Data consists of or includes a transfer of PersonalData from the Customer, whose activities are subject to the UK GDPR, to Support Bunny, who is in a Location Subject to Appropriate Safeguards and whose activities are not subject to the UK GDPR, the UK International Data Transfer Addendum will apply. As permitted by clause 17 of such addendum, the Parties agree to change the format of the information set out in Part 1 of the addendum so that:

a) The details of the Parties in table 1shall be deemed completed with the information inserted or referenced in the Agreement, including the references in Section 6.3 of this DPA;

b) For the purposes of table 2, the UK International Data Transfer Addendum shall be deemed appended to the EU Standard Contractual Clauses for Data Transfers as defined in Section 6.3 of this DPA (including the selection of modules and options and the disapplication of optional clauses as defined in Section 6.3 of this DPA);

c) The appendix information listed in table 3 shall be deemed completed with the information inserted or referenced inSection 6.3 hereof; and

d) For the purposes of table 4, either the data importer or data exporter may end this addendum as set out in clause 19 of the Addendum.
European Personal Data onward transfers. Where the Processing of Personal Data consists of or includes a transfer of Personal Data from Support Bunny, whose activities are subject to the European Data protection Law, acting as a data exporter, to a third party, whois in a Location Subject to Appropriate Safeguards and whose activities are not subject to the European Data protection Law, acting as a data importer(including, but not limited to, the Subprocessors), Support Bunny may transfer thePersonal Data to the third party only if conditions of Section 6.2 hereof are met.
Conflict. In the event of any conflict or inconsistency between this DPA and theEU Standard Contract Clauses for Data Transfers to Third Countries incorporated herein, the EU Standard Contractual Clauses for Data Transfers to ThirdCountries shall prevail.

7. Data Breaches

Notification. Support Bunny will notify Customer of any Data Breach promptly after detection of such Data Breach by Support Bunny. Where a European Data Protection Law applies,Support Bunny will notify Customer no later than 24 hours after such detection. The notification shall be carried out via email sent to Admin User Email Address.
Provided information. Support Bunny undertakes to provide the Customer with all reasonable cooperation and assistance, as well as all details of the Data Breach required for the Customer to comply with its obligations under the Applicable DataProtection Laws in relation to the Data Breach.

8. Audit rights

Customer audit right. If and to the extent such right is granted to the Customer by theApplicable Data Protection Laws, Customer or its independent third party auditor reasonably acceptable to Support Bunny (which shall not include any third party auditors who are either a competitor of Support Bunny or not suitably qualified or independent) may audit practices relevant to Personal Data Processing bySupport Bunny, if:

a) The Customer has reasonable grounds, proved in advance to Support Bunny, to believe that Support Bunny does not Process Personal Data in compliance with this DPA or the Applicable Data Protection Laws or thata Data Breach has occurred; or
‍
b) The audit is formally requested byCustomer’s data protection authority; or
‍
c) Applicable Data Protection Laws provideCustomer with a direct audit right.
Audit frequency. The Customer shall conduct the audit at maximum once in any twelve month period, unless Applicable Data Protection Laws require more frequent audits.
Cost of Audits. Each Party shall bear its costs of audits hereunder.

9. Return and deletion of customer's data

Return (export) right and deletion. Upon the termination of the Agreement, Support Bunny will permit the Customer to export the Personal Data Processed under this DPA, at its expense, in accordance with the capabilities of the Service, within the period of thirty (30) days following such termination. After the expiry of such period, Support Bunny will delete all Personal Data stored or Processed by Support Bunny exclusively on behalf of the Customer and their copies, unless an applicable law requires storage of the personal data. The Customer expressly consents to such deletion and acknowledges that following the period stated in the first sentence of this Section, Support Bunny shall not be able to facilitate any export of the Personal Data to the Customer, as such Personal Data shall be either deleted or archived by Support Bunny as a Data Controller for the purpose(s) and for the period(s) stated in Support Bunny’s Privacy Policy.

10. Terms and Amendments

Commencement and previous agreements. This DPA becomes effective the date on which Customer accepted this DPA and replaces, as of the same date, any previously applicable data processing terms
Duration. This DPA will remain in force as long as the Agreement.
Amendments.The customer explicitly acknowledges and agrees that this DPA may be amended in the same way as agreed by the parties for amendments of the Agreement, including Support Bunny's right to update the terms of the Agreement, any of its policies and this DPA from time to time, as decided by Support Bunny in its sole discretion, subject to notice to Customer at the Admin User Email Address.

11. Liability

Support Bunny’s aggregate liability. Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, and all DPAs between Affiliates and Support Bunny, whether in contract, tort (including negligence) or under any other theory of liability, is subject to the ‘Limitation ofLiability’ section of the Agreement (or the section of the Agreement which addresses the exclusion and limitation of liability even if it does not have that heading), and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under theAgreement and all DPAs together.
Liability towards Customer’s Affiliates. For the avoidance of doubt, Support Bunny and its Affiliates’ total liability for all claims from Customer and all of its Affiliates arising out of or related to the Agreement and allData Processing Agreements whether in contract, tort (including negligence) or under any other theory of liability shall apply in the aggregate for all claims under both the Agreement and the Data Processing Agreements established under the Agreement or otherwise concluded between Support Bunny and the Customer and/or anyAffiliate, and, in particular, shall not be understood to apply individually and severally to Customer and/or to any Affiliate that is a contractual party to, or otherwise entitled to claim under, any such Data Processing Agreement.

12. Governing Law and Jurisdiction

Governing law. Without prejudice to mandatory application of Applicable DataProtection Laws, and respecting their potential mandatory prevalence, this DPA shall be governed by and construed in accordance with the laws of the country or territory stipulated for this purpose in the Agreement and each of the Parties agrees to submit to the choice of jurisdiction as stipulated in the Agreement in respect of any claim or matter arising under or related to this DPA.
Dispute resolution. In order to resolve amicably any dispute that may arise with respect to the interpretation, the performance and/or the termination of this DPA, theParties agree to negotiate after the receipt of a notice by one of the Parties, with the intent to solve any dispute in an amicable way. Failing for the parties to reach an amicable settlement by signing a settlement agreement within thirty (30) days following the notification by a party of the existence of the dispute and making an express reference to this provision, the Parties shall submit their dispute to the relevant court that will have jurisdiction to settle the dispute.

Exhibit A

Subject Matter of Processing
The subject matter of the processing is the Personal Data submitted to the Services by Customer pursuant to the Agreement.

Duration of Processing
‍The processing will continue until the expiration or termination of the Terms.

Nature and Purpose of Processing
‍Processing by Support Bunny to provide theServices to Customer pursuant to the Agreement.

The frequency of processing
On a continuous basis?

Types of Personal Data
Personal Data provided to Support Bunny by Customer or its Authorized Users, including:

Name, email address, and other account data;
Video, audio, and transcript data containing Personal Data;
Transaction logs for transactions conducted by users using the Service;
Information about the hardware used to access the Service;
Information and analytics about use of the Service;
Employee authentication information from the Customer helpdesk, such as user ID Other Personal Data uploaded or submitted by Customer or Authorized Users to the Services.

Exhibit B

Security Measures

Measures pseudonymizing and/orencrypting personal data
‍Support Bunny maintains Customer Content encryptedin transit with TLS and at rest with AES 256-bit encryption.
‍
Measures for ensuring on going confidentiality, integrity, availability and resilience of processing systems and services
The infrastructure for the Application Services spans multiplefault-independent availability zones in geographic regions physically separatedfrom one another; a variety of tools and processes are in place to maintainhigh availability and resiliency.

Measures ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
Backups of the Customer Content are performed on a regular schedule andrecovery testing is periodically conducted. Customer Content is encrypted intransit with TLS and at rest with AES 256 bit encryption.

Processes for regularly testing,assessing and evaluating the effectiveness of technical and organizationalmeasures in order to ensure the security of the processing
Support Bunny maintains an enterprise-wide security program that includes administrative, organizational, technical, and physical safeguards designed to protect the confidentiality, integrity, and availability of Customer Content. Support Bunny conducts periodic reviews of itssecurity program through various internal auditing services.
‍
Measures for user identification andauthorisation
Support Bunny enforces password and multi-factor authentication requirements. Access rights are promptly removed with personnel termination. Support Bunny operates under the principle of least privilege which ensures that only those with a business need to access a system or data are authorized and utilizes role-based access controls (RBAC) to provision and control access.

Measures for the protection of data during transmission
Support Bunny maintains Customer Content encrypted in transit with TLS.
‍
Measures for the protection of dataduring storage
Support Bunny maintains Customer Content encrypted with AES-256 bit encryption.
‍
Measures for ensuring physical securityof locations at which personal data are processed.
Support Bunny hosts Personal Data primarily in AWS data centers that have been certified as ISO 27001, PCI DSS Service Provider Level 1, and/or SOC2 compliant. AWS infrastructure services include backup power, HVAC systems, and fire suppression equipment to help protect servers and ultimately your data. AWS on-site security includes a number of features, such as, security guards, fencing, securing feeds, intrusion detection technology, and other security measures. More details on AWS controls can be found at: https://aws.amazon.com/security

‍Measures for ensuring events logging
Support Bunny maintains application and infrastructure event logs. Events logs are managed centrally and contextually by the security team.

Measures for ensuring system configuration, including default configuration
‍Support Bunny maintains a change management policy with approval processes applicable to pre-production.Hardened security configuration and vulnerability fixes are used in the production environment.Pre-production and production environments are segregated.Support Bunny leverage tools to minimize security exposure including essential built-in security features such as minimal read-only root file system, file system integrity check, locked-down firewall, and audit logging.

Measures for internal IT and IT security governance and management
The security program at Support Bunny includes administrative, organizational, technical, and physical safeguards reasonably designed to protect the confidentiality, integrity, and availability ofCustomer Content taking into account the nature of the services provided bySupport Bunny and data protection laws and regulations applicable to Support Bunny in its performance of its services. Support Bunny maintains information security and privacy policies considering these aspects. These policies are approved by management, regularly reviewed, and made available to all employees.

Measures for ensuring limited data retention
‍Customers may delete at any time theirCustomer Content directly through the Application Services. Additionally, Support Bunny deletes the Customer Content at Customer’s request in accordance with the data processing addendum in place with its customers.

Measures for ensuring accountability
Support Bunny employs multiple controls to ensure high visibility and enforcement of change management policies to ensure accountability, including comprehensive system logs, code reviews, infrastructure as code, and filtering requests through a centralized ticketing solution.

Measures for allowing data portability and ensuring erasure
‍Customers may delete at any time theirCustomer Content directly through the Application Services. Additionally,Support Bunny deletes the Customer Content at Customer’s request in accordance with the data protection addendum in place with its customers.

Privacy for Humans

At Support Bunny, our users’ privacy is at the core of our decision making. We provide a service that changes the way support teams and their customers interact. It allows them to be more expressive and informative in their daily work communication. Sensitive information is passed through our systems, and we don’t take that lightly.We have created this page to show you how our systems use your information. If you wish to view our Privacy Policy, click here

Where does my data go within Support Bunny?

Text-based Data

Your text-based data is comprised of things like your name, notifications, password, linked accounts like Google and Slack, video names, comments, transcripts, and so on. The majority of this data is stored on an encrypted database at both rest and in-transit within AWS. This server is behind a VPC that only privileged servers have access to (such as our backend application servers). Some of this data is encrypted and sent to our caching layer where it is also encrypted at-rest. This caching layer is also behind a VPC and is additionally not accessible between data centers within AWS.

Image and Video Data

This includes your avatars, videos and thumbnails. These files are stored on our encrypted S3 buckets, which can only be accessed by certain robots and engineers within our organization who have special access.

In order to speed up delivery of your videos to your computer, we utilize our. Our CDN makes use of signed URLs. The CDN URL is not your video page URL. Your video page URL stays the same no matter what, but your CDN URL is the URL that actually delivers the video content.

When we sign these CDN URLs, we have complete control over deciding to not issue a URL to someone who requests it. Basically, even if you understand where a video is located on our CDN, you will not be able to access that URL unless you have the URL signed by us. This is how our password-protected videos work. In this case, we only give you a valid signed URL to view/download if you’ve provided the proper password. An additional benefit to signed URLs is that they expire, so old links will not be usable after some amount of time and you will then need to be issued a new one to access the same content.

Where does my data go outside of Support Bunny?

We only send data to trusted third-party systems that are subject to strict privacy and security controls. We think it’s important you understand not only what these systems are but also why we send your data to these systems. If you don’t agree with or understand our reasoning, please email us at privacy@Support Bunny.so. If you do not agree with your data going to a specific system, deleting your Support Bunny account will permanently delete all of your data from all our systems. If you participate in a Support Bunny Business or Support Bunny Enterprise account, only the Support Bunny account administrator at your organization can delete your data.
‍
For folks coming to figure out GDPR compliance, the following third-party services act as data processors for us. When we work with these service providers in our capacity as a data processor for our customers' personal data, the General Data Protection Regulation (GDPR) calls these third-party service providers a sub-processor. A subprocessor is a third party data processor engaged by Support Bunny who may have access to or process personal data: (i) on behalf of Support Bunny customers; (ii) in accordance with customer instructions as communicated by Support Bunny; and (iii) in accordance with the terms of a written contract between Support Bunny and the subprocessor.

☁️ Amazon Web Services (AWS)

Location: Europe or United States.
Nature of Processing: Cloud hosting services and storage
What: AWS is the cloud provider we use at Support Bunny to run our service. AWS processes, hosts, and stores your account and the videos you record with us.
Why: AWS provides Support Bunny with a reliable, scalable, and secure global computing infrastructure. In addition, AWS data centers have rigorous security, physical, and environmental controls to ensure these risks are mitigated. We leverage AWS services so we can continue focusing on providing our users the best recording experience.

☎️ Intercom

Location: Europe.
Nature of Processing: Customer support service.
What: Intercom is a messaging and marketing platform that allows us to do customer success better. This is where you’re able to chat with us from that little bubble in the bottom-right of our web pages.
Why: Intercom has drastically increased our ability to address bugs and handle requests from our users (that’s you!) over when we used to primarily use email. As a part of being able to maintain your relationship with us on this platform, we have to know who you are. We only know this once you’ve created an account, but we use this information for various debugging purposes and to send you product updates and announcements.

📊 Customer.io

Location: United States.
Nature of Processing: Transactional email service
What: is a messaging platform which allows us to communicate a variety of transactional emails and product updates via email with our users.
Why: Customer.io is designed to help communicate important account updates that are core to our recording and co-browsing experience. These emails include communicating topics such as video interactions, account information, and new product features.

🐦 Sentry

Location: United States.
Nature of Processing: Error logging service.
What: Sentry is used as our error logging platform. When you get an error, we get it too so we can better fix these bugs as soon as possible.
Why: No one likes bugs! Data sent to Sentry includes IP address and your Support Bunny ID and no other personal information. We grab your IP to get a general location the error is happening in and potentially pin-down bugs that have to do with timezones. We send your user ID so we can more quickly search and diagnose issues surfaced by our users in our customer support panel (Intercom). Your user ID does not reveal any other personal information to the engineer investigating the issue.

Who has access to what within Support Bunny?

Our non-technical team members have access to Intercom, which allows every person at Support Bunny to be able to do customer support. Over time, this will become more restricted as we scale up the team to only be customer support individuals.

Our technical team can be granted temporary access to our servers, video and thumbnail storage layers. This is only for debugging or development purposes. Each engineer has a unique key that identifies them within our systems. All actions are logged for 6 years. If their key is compromised, we have an instantaneous way of expiring that key, checking if their key was used by an outsider, and processes to remedy such situations and alert the affected user base. **So far, this has never happened in Support Bunny's history, and we’re very proud of that.

How can I export my data?

Videos: You can export all of your video data by downloading each individual video.

Text-based Data: Your user information, video titles and video metadata and tags can be exported. Just send us an email at privacy@Support Bunny.so
‍
If you ever want to delete your data, deleting your account will permanently delete all of your data off our systems.

Useful Vocabulary

🔒 Encrypted
Encryption is a process where data is scrambled with a specific secret that only a select few have. If this data is stolen, it cannot be understood unless the stealer has the proper secret. All of your personally-identifiable data (videos, images and text) are encrypted at-rest and in-transit across all systems.

🏃 In-transit
‍Your data is being sent from one location to another (usually one server/computer to another)

‍🛌🏾 At-rest
‍Your data is physically being stored on a device (usually a server)

‍🕳️ S3 Bucket
‍This is where we store larger (usually media) files such as images and videos

‍⚡ Cache Layer
‍A group of servers that uses faster storage for the purpose of being able to retrieve it faster

‍🤝 Database
‍This is a server that stores data that relates to one another. In other words, this is where we can query to answer questions like: "what is a user?", "does a user own one or many videos?", "could you get me a list of all of this user's comments?"

‍🔥 VPC
‍A firewall that blocks access to a server or group of servers only to users/robots that have the proper permissions

‍🌐 CDN
‍A CDN (Content Delivery Network) is a network of computers around the world whose purpose is to store data as close as possible to the downloader to speed up delivery of media.

‍🤖 AWS
‍Short for Amazon Web Services. This is the cloud provider we use at Support Bunny that allows us to rent storage and compute capacity from their data centers.

If you have any questions about privacy at Support Bunny, we are here to help. Email us at privacy@Support Bunny.so