PRIVACY NOTICE

This Privacy Notice governs the collection, use, and disclosure of Personal Information by Coconut Software Corporation (“Company”, “we” or “us”). In compliance with Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”) and other applicable legislations, our Privacy Notice is designed to provide transparency regarding our privacy practices with respect to the use and disclosure of the Personal Information we collect from you when you use the Coconut Software appointment scheduling platform, company website (“Website”), and related services (together, the “Services”) under the Terms of Use (the “Terms”).

Please read this Privacy Notice carefully. By using the Services, you consent to the collection, use, and disclosure of Personal Information in accordance with the terms of this Privacy Notice. If you do not want us to collect, use, or disclose your Personal Information in the ways identified in this Privacy Notice, you should not use the Services.

Personal Information” means information about an identifiable individual and includes but is not limited to contact information (e.g., name, personal email address, and/or personal mobile telephone number). To the extent that this information is collected or provided through the Services and can be used to identify an individual, we will treat it as Personal Information in accordance with this Privacy Notice.

When using the Services, you will be asked to provide certain Personal Information, for example your name, email address, mobile telephone number, payment information, and information required to schedule appointments, including the date, time, and location of the appointment. (“Services Information”). We will collect Personal Information that is reasonable and necessary to fulfill the following purposes:

  • To create your account;
  • To schedule appointments and otherwise deliver the Services;
  • To process payments; and
  • For other purposes with consent or as permitted or required by law without consent.

If you subscribe to the Services, we collect and store Services Information for billing purposes.

Organizations using the Services create accounts for employees using non-personal information (e.g. work email address). Employees may voluntarily provide Personal Information.

Unless the purposes for collecting Personal Information are obvious and you voluntarily provide your Personal Information for those purposes, we will communicate the purposes for which Personal Information is being collected before or at the time of collection.

You may refuse to supply Personal Information but be aware that this can prevent you from engaging in certain activities in relation to the Services.

To improve our products and to provide the Services, we may collect and use technical data and related information in a form that does not personally identify you. This includes but is not limited to technical information about the device, system and application software, and peripherals you use to access the Services. We gather these periodically to:

  • Monitor system usage, server and software performance, to improve system design and products, to create benchmarks and to conduct trending analysis.
    Perform statistical analysis and generate data related to how users use the Services.
  • We also use Google, as a third party vendor, to serve Coconut Software ads on other websites. Google uses what it calls a “DART cookie” to enable it to serve ads to users based on their visits to participating websites. As a result of our use of Google as a vendor and the use of DART cookies, the ads that you will be served on the Internet may in some cases be based on your use of the Services. You may opt out of the use of the DART cookie by visiting the Google site.

Users can set preferences for how Google advertises to you using the Google Ad Settings page (https://adssettings.google.com/). Alternatively, you can opt out by visiting the Network Advertising Initiative Opt Out page (https://optout.networkadvertising.org) or by using the Google Analytics Opt Out Browser add on (https://tools.google.com/dlpage/gaoptout).

You own your Personal Information. By giving us Personal Information when you use the Services, you consent to your information being collected, used, disclosed and stored by us, only as described in this Privacy Notice.
At any time and without penalty, you can withdraw your consent to the use and disclosure of your Personal Information as set out in the Privacy Notice and delete your account by contacting us at privacy@coconutsoftware.com

We may also collect, use and/or disclose Personal Information for other purposes with your consent, or to the extent necessary for the purposes of meeting relevant regulatory, legal, insurance, audit, security and processing requirements, or to the extent permitted or required by applicable law.

You can opt-out of most email communication from us by clicking on the unsubscribe link at the bottom of our emails. As long as you are using our Services, we may still contact you for administrative purposes, for example to notify you of a change to the service, a change to the Privacy Notice, or a service interruption.

We will use your Personal Information for the purposes described above. We may also use Personal Information to:

  • Assist you with technical support issues. Most technical issues can be resolved without our support team viewing your Personal Information, but it may be required to assist with certain issues.
  • Comply with any laws, regulations, court orders, subpoenas, or other legal process or investigation and to protect us and other individuals from harm.

We may disclose your Personal Information to third parties acting on our behalf to deliver the Services (“Service Providers“) only where your Personal Information is protected under contract.

We may disclose your Personal Information to other third parties in relation to a merger, acquisition, or any form of sale of some or all of our assets or business. Your information may be provided to the entities and advisors involved, for the purposes of determining whether to proceed with the transaction and, where applicable, to conclude the transaction. Your information may be transferred to a successor or assign of all or part of our assets or business that may use and disclose the information for the purposes described in this Privacy Notice.

We will not use or disclose your Personal Information for any additional purpose unless we obtain your consent to do so.

With your consent, we may use your opinion, testimonial, or comments about our Services on our Website and in other materials. If at any time you want your name, testimonial or comment removed, please contact us at privacy@coconutsoftware.com

We will never sell your Personal Information.

The Company may collect, use, and disclose any non-personally identifiable information that has been derived from your Personal Information or use of the Services (“Anonymous Data”). Anonymous Data includes aggregated and de-identified data.

We will retain Personal Information for a reasonable amount of time necessary to fulfill the identified purposes or as permitted or required by law. We may keep your Personal Information until you delete your account or let us know that you no longer require the Services.

We rely on you to ensure that the Personal Information you provide while using the Services is accurate, complete and up-to-date. You are welcome to make changes and request deletion or corrections to Personal Information at any time by updating your account settings or by contacting us at privacy@coconutsoftware.com

Our legal basis for collection and use of Personal Information as a data controller depends on the specific circumstances in which it was collected. In general, we will process your Personal Information under the following basis:

  • Consent – we will process your Personal Information if you have consented to the processing activity. You may revoke your consent at any time and we will cease further processing of your Personal Information (this will not impact the lawfulness of processing your Personal Information based on consent before it was withdrawn).
  • Contract – we may process your Personal Information to perform our obligations to you under a contract.

We will maintain appropriate storage and processing practices and security measures to protect your Personal Information from unauthorized access, collection, use, disclosure, copying, modification or disposal or destruction. We will train our team on privacy and security practices.

We will ensure that any third party acting on our behalf in respect of your Personal Information maintains reasonable and appropriate safeguards. We use third-party services to host our Services called Amazon Web Services (“AWS”) which stores your Personal Information on secure and controlled environments. Personal Information is encrypted when it is collected via the Services. For more information about AWS’ privacy protection and data security practices, please visit https://aws.amazon.com/privacy/

We will use appropriate security measures when destroying Personal Information such as deleting electronically stored information.

We will review and update our security policies and controls as technology changes to ensure ongoing Personal Information security, however please bear in mind that no internet or email transmission is ever fully secure or error free and no security system is impenetrable. We cannot fully guarantee the confidentiality of any information that you share with us.

It’s important to guard your privacy when you are online. If our Services contain links to other websites, this Privacy Notice does not govern those websites. Whether we have posted those links or other organizations or individuals have, you should read their privacy policies and make an informed decision about whether you want to use those websites or their services.

Depending on where you are located when you use or access the Services, your Personal Information may be transferred across international borders outside the country where you use or access the Services, including to countries outside the European Economic Area (“EAA”) that do not have laws providing specific protection for personal data or that have different legal rules on data protection. In such cases, we ensure that there is a legal basis for such transfer and that adequate protection for your Personal Information is provided as required by applicable law, for example, by using contractual clauses approved by the European Commission or other relevant authorities, by using certain services providers that are GDPR compliant.

Our company is located in Canada but we use service providers located inside Canada as well as the United States. This means that your Personal Information may be processed and stored in those countries and therefore may be subject to disclosure under the laws of those jurisdictions made available to local governments or their agencies under a lawful order. For more information, please contact our Privacy Officer at privacy@coconutsoftware.com.

If you are an individual from the EEA, and access or use the Services from the EEA, we process your Personal Information both as a Controller and Processor, as such terms are used in the European Union’s General Data Protection Regulation (Regulation (EU) 2016/679 (“GDPR”). Our legal basis for collecting and using the Personal Information will depend on the Personal Information concerned and the specific context in which we collect it. We process your Personal Information as a controller and processor when you access or use the Services and submit Personal Information to us.

If you are an individual from the EEA, and access or use the Services from the EEA, you have certain additional rights provided by the GDPR as follows:

  • Right to be informed of how your Personal Information is used – you have the right to be informed about how we will use and share your Personal Information. The explanation will be provided to you in concise, transparent, intelligible and easily accessible format and will be written in clear and plain language.
  • Right to access Personal Information – you have the right to obtain confirmation of whether we are processing your Personal Information, access your Personal Information and information regarding how your Personal Information is being used by us.
  • Right to have inaccurate Personal Information rectified – you have the right to have any inaccurate or incomplete Personal Information rectified. If we have disclosed the relevant Personal Information to any third parties, we will take reasonable steps to inform those third parties of the rectification where possible.
  • Right to have Personal Information erased in certain circumstances – you have the right to request that certain Personal Information held by us be erased. This is also known as a right to be forgotten. This is not a blanket right to require all Personal Information to be deleted. We will consider each request carefully in accordance with the requirements of any laws relating to the processing of your Personal Information.
  • Right to restrict processing of Personal Information in certain circumstances – you have the right to block the processing of your Personal Information in certain circumstances. This right arises if you are disputing the accuracy of the personal Information, if you have raised an objection in processing, if processing of Personal Information is unlawful and you oppose erasure and request prescription instead or if the personal Information is no longer required by us but you require the Personal Information to be retained to establish, exercise or defend a legal claim.
  • Right to data portability – in certain circumstances you can request to receive a copy of your Personal Information in a commonly used electronic format. This right only applies to Personal Information that you have provided to us (such as Identify Information, Contact Information). The right to data portability only applies if the processing is based on your consent or if the Personal Information must be processed for the performance of a contract and the processing is carried out by automated means.
  • Right not to be subject to automated decisions – you have the right not to be subject to a decision which is based on automated processing where the decision will produce a legal effect or a similarly significant effect on you.
  • Right to object to processing of Personal Information – you have the right to object to the processing being carried out by us if we are processing Personal Information based on a legitimate interest or if we are using Personal Information for direct marketing purposes or if the information is being processed for scientific or historical or other statistical purposes. You will be informed that you have the right to object at the point of data collection and the right will be brought explicitly to your attention.

We will work to process all verified requests in a timely manner (within 1 calendar month). If the request is complex we may take up to 3 calendar months, we will provide you details about the request.

You may exercise any of your rights referred to above by contacting our Privacy Officer at privacy@coconutsoftware.com. We may require additional information from you to allow us to confirm your identity.

This California Consumer Privacy Act (“CCPA”) disclosure explains how we collect, use, and disclose Personal Information relating to California residents covered by the CCPA. Under the CCPA, the specific Personal Information that we collect, use, and disclose relating to a California resident covered by the CCPA will vary based on our relationship or interaction with that individual.

In the past 12 months, we may have collected, and disclosed to third parties for our business purposes, the following categories of Personal Information relating to California residents covered by this disclosure:

  • Identifiers, such as name and last name;
  • Personal Information, as defined in the California safeguards law, such as contact information and/or financial information;
  • Characteristics of protected classifications under California federal law;
  • Commercial information, such as transaction information and/or purchase history;
  • Biometric information, such as fingerprints and/or voiceprints;
  • Internet or network activity information, such as browsing history and interaction with websites;
  • Geolocation data, such as device location and internet protocol (IP) location;
  • Audio, electronic, visual and similar information, such as call and video recordings;
  • Inferences drawn from any of the Personal Information listed above to create a profile about, for example, and individual’s preferences and characteristics.

The categories of third parties to whom we disclosed CCPA Personal Information for our business purposes described in this privacy disclosure are:

  • Our customers to which the Personal Information relates.
  • Vendors and services providers who provide services such as website hosting, data analysis, information technology and related infrastructure, customer service, email delivery, auditing, marketing and marketing research activities.
  • Government agencies as required by laws and regulations.

In the past 12 months, we may have used Personal Information relating to California residents to operate, manage, and maintain our business, to provide our products and services, and to accomplish our business purposes and objectives, including the following:

  • Performing services.
  • Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity.
  • Auditing related to a current interaction and concurrent transactions.
  • Undertaking activities to verify or maintain the quality or safety of a service controlled by us, and to improve, upgrade, or enhance the service controlled by us.
  • Debugging to identify and repair errors that impair existing intended functionality.
  • Undertaking internal research for technological development and demonstration.
  • Complying with laws and regulations and to comply with other legal process and law enforcement requirements (including any internal policy based on or reflecting legal or regulatory guidance, codes or opinions.).

In the past 12 months, we have not “sold” Personal Information subject to CCPA. We will never sell your Personal Information.

If you are a California resident, you have the right to:

  • Request we disclose to you free of charge the following information covering the 12 months preceding your request:
    • The categories of Personal Information about you that we collected;
    • The categories of sources from which the Personal Information was collected;
    • The purposes of collecting Personal Information about you;
    • The categories of third parties to whom we disclosed Personal Information about you and the purpose for disclosing the Personal Information about you;
    • The specific pieces of Personal Information we collected about you.
  • Request we delete Personal Information we collected from you, unless the CCPA recognizes an exception
  • Be free from unlawful discrimination for exercising your rights under the CCPA

We will acknowledge receipt of your request and advise you how long we expect it will take to respond if we are able to verify your identity. Requests for specific pieces of Personal Information will require additional information to verify your identity.

In some instances, we may not be able to honor your request (we will not be able to honor your request if we cannot verify your identity). Additionally, we will not honor your request where an exception applies, such as where the disclosure of Personal Information would adversely affect the rights and freedoms of another customer or where the Personal Information that we maintain about you is not subject to the CCPA’s access or deletion rights. We will advise you in our response if we are not able to honor your request.

We will work to process all verified requests in a timely manner (within 45 days). If we need an extension in order to process your request, we will provide you with an explanation for the delay.

You may exercise any of your rights referred to above by contacting our Privacy Officer at privacy@coconutsoftware.com. We may require additional information from you to allow us to confirm your identity.

The EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. Data Privacy Framework (UK Extension to the EU-U.S. DPF), and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) were developed to facilitate transatlantic commerce by providing U.S. organizations with reliable mechanisms for personal data transfers to the United States from the European Union / European Economic Area, the United Kingdom (and Gibraltar), and Switzerland that are consistent with EU, UK, and Swiss law.

Organizations participating in the EU-U.S. DPF may receive personal data from the European Union / European Economic Area in reliance on the EU-U.S. DPF effective July 10, 2023. July 10, 2023 is the date of entry into force of the European Commission’s adequacy decision for the EU-U.S. DPF and the effective date of the EU-U.S. DPF Principles, including the Supplemental Principles and Annex I of the Principles. The adequacy decision enables the transfer of EU personal data to participating organizations consistent with EU law.

Organizations participating in the UK Extension to the EU-U.S. DPF may receive personal data from the United Kingdom and Gibraltar in reliance on the UK Extension to the EU-U.S. DPF effective October 12, 2023, which is the date of entry into force of the adequacy regulations implementing the data bridge for the UK Extension to the EU-U.S. DPF. The data bridge for the UK Extension to the EU-U.S. DPF enables the transfer of UK and Gibraltar personal data to participating organizations consistent with UK law.

The effective date of the Swiss-U.S. DPF Principles, including the Supplemental Principles and Annex I of the Principles is July 17, 2023; however, personal data cannot be received from Switzerland in reliance on the Swiss-U.S. DPF until the date of entry into force of Switzerland’s recognition of adequacy for the Swiss-U.S. DPF. The recognition of adequacy will enable the transfer of Swiss personal data to participating organizations consistent with Swiss law.

The Data Privacy Framework (DPF) program, which is administered by the International Trade Administration (ITA) within the U.S. Department of Commerce, enables eligible U.S.-based organizations to self-certify their compliance pursuant to the EU-U.S. DPF and, as applicable, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF. To participate in the DPF program, a U.S.-based organization is required to self-certify to the ITA via the Department’s DPF program website (i.e., this website) and publicly commit to comply with the DPF Principles. While the decision by an eligible U.S.-based organization to self-certify its compliance pursuant to and participate in the relevant part(s) of the DPF program is voluntary, effective compliance upon self-certification is compulsory. Once such an organization self-certifies to the ITA and publicly declares its commitment to adhere to the DPF Principles, that commitment is enforceable under U.S. law.

Rights to ask about:

  • Information on the types of personal data collected
  • Information on the purposes of collection and use
  • Information on the type or identity of third parties to which your personal data is disclosed
  • Choices for limiting use and disclosure of your personal data
  • Access to your personal data
  • Notification of the organization’s liability if it transfers your personal data
  • Notification of the requirement to disclose your personal data in response to lawful requests by public
  • authorities
  • Reasonable and appropriate security for your personal data
  • A response to your complaint within 45 days
  • Cost-free independent dispute resolution to address your data protection concerns
  • The ability to invoke binding arbitration to address any complaint that the organization has violated its obligations under the DPF Principles to you and that has not been resolved by other means

https://www.dataprivacyframework.gov/program-articles/My-Rights-under-the-Data-Privacy-Framework-(DPF)-Program

You may exercise any of your rights referred to above by contacting our Privacy Officer at privacy@coconutsoftware.com. We may require additional information from you to allow us to confirm your identity.

You may exercise your right to complain under Data Privacy Framework (DPF) Program by contacting us or following the complaint procedure listed under DPF (https://www.dataprivacyframework.gov/program-articles/How-to-Submit-a-Complaint-Relating-to-a-Participating-Organization%E2%80%99s-Compliance-with-the-DPF-Principles)

We use cookies to improve your experience, to save you time, and to make it possible to navigate our website. We do not link the information we store in cookies to any Personal Information you submit while using our service or visiting our websites. You can remove cookies manually by following directions provided in your Internet browser’s “help” file. If you refuse cookies, you will not be able to use some or all of our service, since some cookies are essential to navigation.

We think that children’s privacy is particularly important and we do not knowingly collect Personal Information about anyone 13 years or younger. If notified of having done so, we will take immediate steps to remove such data from our databases.

You may request access to, make corrections to, or delete the Personal Information we hold about you at any time, subject to limited exceptions. Upon written request, we will also provide you with a list of individuals or entities (e.g. third party service providers) to which we have disclosed your Personal Information, if applicable, subject to any restrictions under applicable laws. Please contact our Privacy Officer at privacy@coconutsoftware.com for additional information.

We may amend this Privacy Notice from time to time. We will post any changes to this page and, if the changes are significant, we will provide a more prominent notice (including email notification if appropriate).

Your continued use of the Services following the posting of changes to this Privacy Notice will signify your acceptance of those changes. We will keep prior versions of this Privacy Notice in an archive for your review.

We encourage you to periodically review this page for the latest information on our privacy practices and to contact us if you have any questions or concerns.

Questions and Complaints

You may send your privacy-related questions, concerns or complaints to our Privacy Officer who is responsible for ensuring our compliance with this notice and with the appropriate privacy legislation.

Privacy Officer
Coconut Software
102-121 Research Drive
Saskatoon, SK
S7N 1K2
Email: privacy@coconutsoftware.com
If our Privacy Officer is unable to resolve your concern, you may also write to the Office of the Privacy Commissioner of Canada.

Last updated: May 6, 2024