Privacy Policy

Who we are

Community Box Directory Software Inc. incorporated in British Columbia, Canada (incorporation no. BC1427000) is the developer of Community Box. We enable clients to add beautiful directories to their existing websites.

We are accountable for compliance with PIPA, British Columbia’s Personal Information Protection Act which sets out rules for how organizations collect, use and disclose personal information.

For the purposes of data protection legislation:

• To the extent that EU and UK Privacy Laws apply to our handling of information about you, Community Box is a “data controller”.

• To the extent that the California Consumer Privacy Act applies to our handling of information about you, Community Box is a “business”

• To the extent that EU and UK Privacy Laws apply to our handling of your Profile or your Members’ Profile data, Community Box is a “data processor” or a “data sub-processor”

• To the extent that the California Consumer Privacy Act applies to our handling of information about your Profile or your Members’ Profile data, Community Box is a “service provider”

Contact details

Our registered offices are at 3710 Bute Street, Port Alberni, BC V9Y 7S9.

Our privacy officer is Roland Hougs. You can contact our privacy officer on help@communitybox.co.

Definitions

In this document the following terms are used:

• Visitors: people who visit your website, and interact with the Community Box directory that you have embedded thereupon

• Members: people who have ownership of, or manage one or more profiles in your directory

• Functionality: the totality of the features offered by Community Box, including but not limited to, the ability to embed one or more user-driven directories on your website

• EEA: the European Economic Area

• SOC: System and Organization Controls, as defined by the American Institute of Certified Public Accountants

• HIPAA: Health Insurance Portability and Accountability Act of 1996

• NIST: National Institute of Standards and Technology

• FedRAMP: Federal Risk and Authorization Management Program

Consent

In plain English: You don’t have to share your data with us, but without sharing it, we cannot provide you with the Functionality.

Providing us with personal data is purely consensual. You are not obligated under any laws to provide us with any personal data, but without providing such personal data, we cannot provide you with the Functionality.

This privacy notice applies to personal information we collect about you when you interact with us (for example when you use our website or platform). It sets out:

• what information we collect, and from whom;

• how we use that information;

• how long we keep your information;

• whom we share your information with;

• how your information is protected;

• your rights in relation to the information we hold about you.

We keep our privacy notice under regular review, and we encourage you to periodically review this page for the latest information on our privacy practices. Any material changes will be notified to you by updating them on our website, together with any such other methods as may be appropriate.

This Privacy Policy also extends to data which may be provided to us by our clients and other parties who may provide us with data, or access to data, from time to time, in the course of dealing with that party.

Our use of your personal data will always have a lawful basis, either because it is necessary for our performance of a contract with you, or because you have consented to our use of your personal data, or because it is in our legitimate interests. Specifically, we may use, and you consent to us using, your data for the following purposes:

• providing and managing your access to our platform and website

• personalising and tailoring your experience on our platform and website

• providing you with cost guidance about our Functionality and/or goods

• providing you with other information about our Functionality and/or goods

• supplying our Functionality and/or goods to you, which may include:

  • access to the Community Box Platform

  • IT support for your use of Community Box's Platform.

• communicating online, through social media, by post, email or telephone or by any other means, with you;

• providing you with newsletters and other material, which may include marketing material, relevant to our Functionality and/or goods, email or other means (provided that you may unsubscribe or opt-out at any time, and where practicable, we will include a link to facilitate that);

• analysing your use of our website and platform to enable us to improve our website and platform and your user experience.

What information does Community Box collect?

Information you provide to us voluntarily

You may give us your personal information when you:

• sign up for a Community Box account

• upgrade to a paid Community Box plan

• interact with our Customer Support team

• opt-in to receive emails from us

• use, or provide a comment on our websites

• correspond with or contact us

• interact with us on social media platforms

• sign up to one of our newsletters or other communications

• otherwise interact with us or provide information to a third party to be referred to us

Where we request information from you, we will collect the information set out in the relevant forms or pages. You may choose to provide additional information to us when you contact us or otherwise interact with us or provide information to a third party to be referred to us.

Information which is available publicly

Your personal information may be available to us from external publicly available sources: for example, geo-demographic information and information from public registers such as listed directorships, information from the electoral roll and press reports, or social media.

Information we collect automatically

We, or the companies that work on our behalf, or any 3rd-party sub-processors, collect data related to visitors to our websites automatically, including what pages you have viewed, for how long and your website journey. We may also collect data relating to your usage of the dashboard, and relating to how your members make use of the embedded Community Box directory. We do so, both in order to:

• improve the quality of the service

• detect and quickly respond to any bugs, crashes or other service degradations

• collect usage data for you to access, to help you monitor how visitors to your directory are interacting with the directory

Information is also collected about how you arrived at our websites in the first place, including what links or adverts of ours you have viewed or clicked on to reach us, or any search terms you have used. Where you see an advert for us outside of our websites, for example on social media, we will place a cookie on your browser so that, when you access our websites, we recognise that you have seen an advert of ours elsewhere. Information collected automatically using cookies or other tracking technologies includes your IP address. We may also place cookies on your browser to make it easier for you to login, and to allow our Customer Support team to respond more quickly to your queries. We may also place cookies on your Members’ and Visitors’ devices as and when they access your embedded directory, to make logging in easier for them and to make it easier for us to assist you with any support requests that you get from your Members and Visitors.

Cookies and analytics

This website is hosted by Squarespace. Squarespace collects personal data when you visit this website, including:

• Information about your browser, network and device

• Web pages you visited prior to coming to this website

• Web pages you view while on this website

• Your IP address

Squarespace needs the data to run this website, and to protect and improve its platform and services. Squarespace analyzes the data in a de-personalized form.

Analytics

This website collects personal data to power our site analytics, including:

• Information about your browser, network, and device

• Web pages you visited prior to coming to this website

• Your IP address

This information may also include details about your use of this website, including:

• Clicks

• Internal links

• Pages visited

• Scrolling

• Searches

• Timestamps

We share this information with Squarespace, our website analytics provider, to learn about site traffic and activity.

Cookies

This website uses cookies and similar technologies, which are small files or pieces of text that download to a device when a visitor accesses a website or app. For information about viewing the cookies dropped on your device, visit The cookies Squarespace uses.

• These necessary and required cookies are always used, which allow Squarespace, our hosting platform, to securely serve this website to you.

• These analytics and performance cookies are used on this website, as described below, only when you acknowledge our cookie banner. This website uses analytics and performance cookies to view site traffic, activity, and other data.

Fonts

This website serves font files from and renders fonts using Google Fonts. To properly display this site to you, these third parties may receive personal information about you, including:

• Information about your browser, network, or device

• Information about this site and the page you’re viewing on it

• Your IP address

What types of data does Community Box process?

We collect, store and use the following types of data:

• your name, email address and postal address

• details about your Community Box account

• information you provide on other individuals

• correspondence you have had with us

• information about your computer/mobile device and your visits to and use of our websites

• details about you that are stored in documents in different formats, or copies of them

• any other information shared with us as described in Section 1 above.

How does Community Box use my data, and on what legal basis?

The following sections describe in more detail how Community Box may use your information, and in particular the legal grounds on which we rely in doing so.

What we use your personal information for

We use the information collected for a number of purposes, including:

• to verify and manage your account

• to provide you with technical and account-related support

• to make and manage payments

• to manage our relationship and communicate with you

• to respond to complaints and seek to resolve them

• to enhance your online experience

• to better understand our account holders and supporters in general

• to respond to individual experiences shared with us and for editorial content

• to understand your website journey, including what pages you have viewed and for how long

• to improve the effectiveness our advertising campaigns

• to administer and keep safe and secure our websites and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes

• to train our staff and measure the quality of the service we give you

• to obey laws and regulations that apply to us

The legal grounds we rely on to process your information

The legal grounds on which we rely are:

• fulfil our contractual obligations (for example in order to provide Functionality requested by account holders and to contact you if a problem arises with them);

• to pursue our legitimate interests (for example to facilitate your use of our websites, or for marketing);

• your consent; and / or

• to fulfil a legal duty

Legitimate interests

When we rely on our legitimate interests, these are as follows:

• keeping our records up to date

• charging for Community Box accounts

• developing our account offers

• marketing our products and Functionality

• administering our websites and keeping them safe and secure

• ensuring that content is presented in the most effective manner for you and your devices

• facilitating your use of our websites and platform

• measuring the use of our platform & websites and improving their content and accessibility

• tailoring content and our communications so that they are most relevant to you;

• complying with legal and/or regulatory requirements

• identifying trends in customer/client behaviour

• informing and generating content

Handling and Security of your data

Community Box processes data in data centres based in the EEA and the United States of America (for information about the legal framework applying to data transfers from the EEA to United States please see section 6), as well as in the cloud.

Where SOC and HIPAA compliance is relevant, these data centres are SOC 2 Type II and HIPAA certified.

Where HIPAA compliance is not relevant (for cloud processing, for example) the cloud providers are FedRAMP and NIST 800-53 compliant, these regulations map onto HIPAA for the purposes of cloud processing.

The data centres and cloud processing functionality are operated by Amazon Web Services and UpCloud.

Who does Community Box share my information with?

Day-to-day

To help us provide the Service and to pursue our legitimate interests, we share your personal information with the third parties listed below, who provide functionality to Community Box or who act on our behalf for purposes such as payment processing or customer support. We do not authorise these companies to use or disclose your personal information except for the purpose of providing the service we request of them. Community Box is based in Canada, and some third-party data processors are based outside of the European Economic Area (EEA).

Help Scout

We use Help Scout to handle customer support and problem resolution. Most interactions you make with us will likely be handled by, and stored in, in Help Scout. Read Help Scout’s Privacy Policy

Zoom

We use Zoom for customer calls and webinars. Read Zoom’s Privacy Policy

Google Calendar

We use Google Calendar to schedule calls and meetings with our customers. Read Google’s Privacy Policy

Google Mail

We use Google Mail to handle any some email correspondence with our customers, consultants and suppliers. Read the Google Mail Privacy Policy

Amazon Web Services

We use Amazon Web Services to perform cloud-based processing as part of providing the core functionality of Community Box. Read the Amazon Web Services Privacy Policy

PostMark

We use PostMark to handle service-based email interaction with you (for example, to notify you of new profiles being added) and with your members (for example, if one of your members requests a password-reset link, which will be sent to them by email). Read the PostMark Privacy Policy

Mapbox

We use Mapbox to provide mapping and geocoding functionality, as part of the normal operation of Community Box. Read the Mapbox Privacy Policy

Google Maps

Although we no longer use Google Maps, some legacy customers are still using Google Maps as their mapping solution. For those customers, read the Google Maps Privacy Policy

Stripe

We use Stripe to handle payment processing. Read the Stripe Privacy Policy

Other circumstances in which we will disclose your information

We will disclose your information to local and foreign regulators, governments, law enforcement authorities, advisors, courts, tribunals and arbitrators when we have a legal obligation to do so or when we believe our compliance with the request to be fair, reasonable and lawful, e.g. to detect, prevent or investigate security breaches, fraud or other crimes.

We will also disclose your information to establish, exercise or defend legal claims, for example: (i) to enforce our Terms and Conditions; (ii) to ensure the safety and security of our users, consumers and third parties; and (iii) to protect our rights and property and the rights and property of our platform and website visitors, consumers and third parties.

Data transfers outside the European Economic Area

As part of its normal operation, Community Box or its third parties (see section 4) may transfer data about citizens in the EEA to to other data centres around the world. Such transfers are regulated by the Standard Contractual Clauses brought into effect by the Commission Implementing Decision C(2021) 3701 and the Commision Implementing Decision C(2021) 3972, of 4th June 2021.

In plain English, these Standard Contractual Clauses declare that, to the extent that it is practical, wherever data belonging to citizens in the EEA flow to non-EEA countries, protection similar to that which applies within the EEA will continue to apply.

For more details about the above, and links to the full text of these SCCs please see the following page: European Commission adopts new tools for safe exchanges (europa.eu).

How long is my information retained?

Whenever we collect or process your personal data, we will only keep information about you for as long as we need to fulfil the purposes for which we are processing your information or for an appropriate retention period thereafter. At the end of that retention period, your data will either be deleted or anonymised. Examples of our retention periods are:

• Where you are a client/customer, we would normally keep your information for the duration of your contract and then a period of up to seven years after you cease being a client/customer.

• Where we need to keep your information for financial reporting obligations, we would normally keep it for seven years from the date of payment.

• Where we need to keep your information relating to complaints you have made, we would normally keep it for seven years from the end of that matter.

• All data pertaining to personal abuse, stalking, and harassment are kept until the legal authorities no longer require it to be kept.

What are my data protection rights?

You have the following rights in relation to your personal data:

• Access: The right to request access to and a copy of your personal information (which can be done by emailing help@communitybox.co);

• Restriction: You can ask us to pause processing your information in certain circumstances (eg you are disputing its accuracy);

• Rectification: You can have any inaccuracies in your personal information corrected;

• Deletion/right to be forgotten: You can ask us to delete all your personal information in certain circumstances (eg if the information is no longer necessary for the purposes for which it was collected);

• Objection: You can object to us processing your personal information in certain circumstances;

• Objection to marketing: please contact us at help@communitybox.co to opt-out of direct marketing communications;

• Portability: You can ask us to transfer your information electronically to you or another organisation in certain circumstances;

• Withdrawal of consent: Where we rely on your consent to process your information, you can withdraw consent at any time, although this will not affect our uses of your personal information prior to the withdrawal of your consent; and

• To lodge a complaint with PIPA or other relevant supervisory authority: Please see the section below, What can you do if you are unhappy with the way we have processed your personal data? for more information.

Please be aware that you are under no obligation to provide us with your personal information. However, failure to do so may, in some circumstances, will prevent us from being able to provide you with the Functionality of the product, or otherwise interact with you.

When exercising your data protection rights we may ask you to verify your identity in order to help us respond efficiently to your request.

If you would like to exercise any of the above rights, please email us at help@communitybox.co.

All of these rights are free to exercise and we will do our best to respond to you as quickly as possible and in any event, within 72 hours of receipt of your written request. We will inform you within 72 hours of receipt of such a request if we will need longer to respond, for example due to the complexity of the request.

We want to make sure that your personal information is accurate and up to date. Please always let us know at help@communitybox.co if you think that it is not and needs updating.

Third party websites and social media

Where we provide links to other websites, we do so for information purposes unless otherwise indicated. The other websites are outside our control and are not covered by this privacy notice. If you access other websites using the links provided, the operators of these websites may collect information from you which will be used by them in accordance with their privacy notice, which may differ from ours.

On some pages of our websites, third parties that provide content, applications or plug-ins through our websites may track your use of content, applications and plug-ins or customise content, applications and plug-ins for you. For example, when you share an article using a social media sharing button on our websites, the social network that has created the button will record that you have done this.

Use of our website and Functionality by minors

In plain English: We don’t knowingly collect information about children. Furthermore, our Terms and Conditions prohibit Community Box from being used by minors, or used for the purpose of storing information of any kind about minors.

We will not knowingly contact or engage with children under the age of 18. If you have reason to believe that a child under the age of 18 has provided us with their personal data, please contact us, and we will act in accordance with the applicable law.

Updates to this Privacy Policy

Community Box may need to update this Privacy Policy from time to time.

If we make any updates, such as materially changing how we use your personal data, we will alert you as required by applicable privacy laws.

The privacy policy is reviewed annually in line with our risk assessment and Data Protection Impact Assessments.

What can you do if you are unhappy with the way we have processed your personal data?

If you have any concerns about my use of your personal information, you can make a complaint to the Privacy Officer using the contact details at the top of this page.

Please note: you may be required to prove your identity before discussing any complaint or request that involves your personal information.

If you are unhappy with our response, ou also have a right to lodge a complaint with the Office of the Information and Privacy Commissioner for British Columbia (OIPC).        

Office of the Information and Privacy Commissioner for British Columbia
PO Box 9038 Stn. Prov. Govt.
Victoria B.C. V8W 9A4

+1 250-387-5629

info@oipc.bc.ca