Third Party Sub Processors

Who we are and what this is

Method Apps Limited (“we”, “us” or “our”).
Registered company address: 11 Laura Place, Bath, England, UK, BA2 4BL.
Registered in England & Wales 11235998.

Method Apps Limited engages the third party entities below to perform limited activities in connection with customer data associated with Method Grid and Method Apps Limited.


Google

Activity: Marketing, Office Applications, Communications, Support

Data processed: IP address, marketing tracking

App data processed: None

Data locations: US, Multiple

As described in our Privacy Shield certification, we comply with the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks as set forth by the US Department of Commerce regarding the collection, use and retention of personal information from European Union member countries (including EEA member countries) and the UK as well as Switzerland, respectively. Google, including Google LLC and its wholly-owned US subsidiaries (unless explicitly excluded), has certified that it adheres to the Privacy Shield Principles. Google remains responsible for any of your personal information that is shared under the Onward Transfer Principle with third parties for external processing on our behalf, as described in the “Sharing your information” section.

Source: https://policies.google.com/privacy/frameworks?hl=en-US


Stripe Inc.

Activity: Finance

Data processed: Name, email, organization, billing details

App data processed: Name, email, organization, billing details

Data locations: US, Multiple

We are a global business. Personal Data may be stored and processed in any country where we have operations or where we engage service providers. We may transfer Personal Data that we maintain about you to recipients in countries other than the country in which the Personal Data was originally collected, including to the United States. Those countries may have data protection rules that are different from those of your country. However, we will take measures to ensure that any such transfers comply with applicable data protection laws and that your Personal Data remains protected to the standards described in this Privacy Policy. In certain circumstances, courts, law enforcement agencies, regulatory agencies or security authorities in those other countries may be entitled to access your Personal Data.

If you are located in the European Economic Area (“EEA”), the UK or Switzerland, we comply with applicable laws to provide an adequate level of data protection for the transfer of your Personal Data to the US. Stripe Inc. is certified under the EU-U.S. and the Swiss-U.S. Privacy Shield Framework and adheres to the Privacy Shield Principles in connection with personal data transfers from the EEA, the UK and Switzerland. For more, see Stripe’s Privacy Shield Policy. In addition, we have implemented intra-group data transfer agreements which you may view upon request.

UPDATE September 15, 2020: While Stripe Inc. remains self-certified under the E.U.-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield, it is not currently relying on these frameworks for the transfer of personal data to the U.S.

Where applicable law requires us to ensure that an international data transfer is governed by a data transfer mechanism, we use one or more of the following mechanisms: EU Standard Contractual Clauses with a data recipient outside the EEA or the UK, verification that the recipient has implemented Binding Corporate Rules, or verification that the recipient adheres to the EU-US and Swiss-US Privacy Shield Framework.

Source: https://stripe.com/gb/privacy


Xero Limited

Activity: Finance, Communications

Data processed: Name, email, organization, billing details

App data processed: None

Data locations: US

Similar to many SaaS providers, we use a top-tier, third-party data hosting provider (Amazon Web Services) with servers located in the U.S., to host our online and mobile services. For more information about AWS’s approach to compliance with the GDPR, see https://aws.amazon.com/compliance/gdpr-center/

Xero has no short term plans to store data in the EU, and this isn’t required under GDPR. Instead, GDPR requires companies to implement appropriate safeguards when they export personal data out of the EU.

Xero makes sure that it complies with EU data export restrictions when it exports data outside of the EU, and will be doing a full audit prior to May 2018 on the data export mechanisms it has in place to ensure they comply, and will continue to comply, with GDPR.

Source: https://www.xero.com/uk/campaigns/xero-and-gdpr/
Source: https://www.xero.com/uk/about/legal/privacy/


DigitalOcean, LLC

Activity: Infrastructure

Data processed: Name, email, organization, profile image, all app data

App data processed: Name, email, organization, profile image, all app data

Data locations: UK

… your proprietary data that you upload to Droplets, Spaces, and other services will remain within the region where you choose to host such data, unless we inform you otherwise.

Source: https://www.digitalocean.com/security/gdpr/faq/
Source: https://www.digitalocean.com/legal/privacy-policy/


Chargebee, Inc

Activity: Finance, Communications

Data processed: Name, email, organization, billing details

App data processed: Name, email, organization, billing details

Data locations: US

Chargebee participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework. We are committed to subjecting all personal data received from European Union (“EU”) member countries and Switzerland, in reliance on the Privacy Shield Framework, to the Privacy Shield Framework’s applicable Privacy Shield Principles.

Source: https://www.chargebee.com/privacy/


Twilio Inc. (SendGrid)

Activity: Infrastructure, Communications

Data processed: Name, email, email tracking

App data processed: None

Data locations: US, Multiple

Twilio has certified with the EU–U.S. Privacy Shield Framework and the Swiss–U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of “personal data” (as defined under the Privacy Shield principles) transferred from the European Union and the United Kingdom, and/or Switzerland to the United States, respectively. Twilio has certified that it adheres to the Privacy Shield Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement for such personal data. As required under the principles, when Twilio receives information under the Privacy Shield and then transfers it to a third-party service provider acting as an agent on Twilio’s behalf, Twilio has certain liability under the Privacy Shield if both (i) the agent processes the information in a manner inconsistent with the Privacy Shield and (ii) Twilio is responsible for the event giving rise to the damage.

Source: https://www.twilio.com/legal/privacy
Source: https://www.twilio.com/gdpr


Cloudflare, Inc.

Activity: Infrastructure

Data processed: IP

App data processed: None

Data locations: US, Multiple

While Cloudflare no longer relies on the EU-U.S. and the Swiss -U.S. Privacy Shield as a lawful basis for international transfers of personal data from the EEA and Switzerland to the U.S., Cloudflare remains certified under both the EU-U.S. and the Swiss-U.S. Privacy Shield Frameworks respectively as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the EEA, the UK, and Switzerland to the United States, respectively (“Privacy Shields”). We commit to periodically review and verify the accuracy of our policies and our compliance with the Privacy Shields. If there is any conflict between the terms in this Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern.

Source: https://www.cloudflare.com/en-gb/privacypolicy/
Source: https://www.cloudflare.com/en-gb/gdpr/introduction/


Tribe Technologies Inc.

Activity: Support, Communications

Data processed: Name, email, profile image, user generated content

App data processed: Name, email, profile image

Data locations: US

Tribe’s headquarters in Canada is our primary location for business operations. Servers hosting the Tribe platform are located in the US unless agreed as part of a separate agreement. In order to provide Use with the information, products, or services Use have requested, Personal Data may be transferred or shared with other companies within our family of companies, including those third-party vendors who act on our behalf, process Personal Data in accordance with the purposes for which the data was originally collected, or for purposes to which Data Subjects have subsequently consented. Our Privacy Policy, supported by model contract agreements and safeguards for data governance, are designed to provide equivalent data protection for all customers wherever they may reside.

Further, individuals located in the EU have certain rights under European law (including under the General Data Protection Regulation) with respect to Personal Information, including the right to request access to, obtain, correct, amend, delete, or limit the use of User’s personal data. Individual end users, customers or prospective customers located in the EU who wish to exercise these rights, should contact Tribe using the contact information below in Section 16. If we are processing User’s information on behalf of a third party then User should contact that party directly because Tribe serves as a data processor on behalf of third party in that instance and can only forward User’s request to the buyer to allow them to respond. Individuals also have the right to make complaints to regulatory authorities in respect of our privacy practices.

Source: https://tribe.so/privacy-policy
Source: https://blog.tribe.so/tribe-community-software-commitment-gdpr/


Prospect Global Ltd (SoPro)

Activity: Marketing

Data processed: Name, email, organization, email tracking, contact records

App data processed: None

Data locations: MK

We periodically appoint digital marketing agents to conduct marketing activity on our behalf, such activity may result in the compliant processing of personal information.

Prospect Global Ltd (trading as SoPro) Reg. UK Co. 09648733. You can contact SoPro and view their privacy policy here: http://sopro.io SoPro are registered with the ICO Reg: Z123456 their Data Protection Officer can be emailed at: dpo@sopro.io

We and Our other Group Companies have offices and facilities in Macedonia where your personal data may be processed. Transfers to Macedonia will be protected by appropriate technical and administrative safeguards included in our Terms of Contract for data processing agreed between us and our Macedonian counterparts which of course includes the standard clauses required under GDPR.

Source: https://sopro.io/legal/


HelloSign Service (JN Projects, Inc.)

Activity: Legal

Data processed: Name, email, address, signature

App data processed: None

Data locations: US, Multiple

Around the world – To provide you with the Services, we may store, process and transmit data in the United States and locations around the world – including those outside your country. Data may also be stored locally on the devices you use to access the Services.

Data Transfers. When transferring data from the European Union, the European Economic Area, the United Kingdom and Switzerland, HelloSign relies upon a variety of legal mechanisms, such as contracts with our customers and affiliates, Standard Contractual Clauses and the European Commission’s adequacy decisions about certain countries, as applicable.

EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield. HelloSign complies with the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks as set forth by the U.S. Department of Commerce regarding the collection, use and retention of personal data transferred from the European Union, the European Economic Area, the United Kingdom and Switzerland to the United States, although HelloSign does not rely on the EU-U.S. Privacy Shield or Swiss-U.S. Privacy Shield Frameworks as a legal basis for transfers of personal data. HelloSign has certified to the Department of Commerce that it adheres to the Privacy Shield principles with respect to such data. You can also learn more about Privacy Shield at www.privacyshield.gov.

Source: https://gb.hellosign.com/privacy


Hubspot

Activity: Marketing, Support, Communications

Data processed: Contact details (name, email, phone, address etc.), company details and communication records

App data processed: None

Data locations: US, IE

To facilitate our global operations, we transfer information to either Ireland or the United States and allow access to that information from countries in which the HubSpot affiliated entities have operations for the purposes described in this policy.

This Privacy Policy shall apply even if we transfer Personal Information to other countries. We have taken appropriate safeguards to require that your Personal Information will remain protected. When we share information about you within and among HubSpot’s affiliated entities, we make use of standard contractual data protection clauses, which have been approved by the European Commission, and we have also certified to the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks to help safeguard the transfer of information we collect from the European Economic Area (“EEA”), the United Kingdom, and Switzerland. Please see our Privacy Shield notice below for more information.

Source: https://legal.hubspot.com/privacy-policy


Contact

Questions, comments and requests regarding this policy are welcomed and should be addressed via our contact page here.


Change log

22 July 2021 – Updated to add Hubspot privacy policy. Removed information about Pipedrive and Calendly.
13 August 2021 – Removed references to Olark and GrooveHq.
19 November 2021 – Removed references to Campaign Monitor.

Try Method Grid - it's free Sign up