doxo Privacy and Security Policy
Effective date: July 24, 2020
doxo is designed for doxo users to pay their bills, organize Provider accounts; manage personal account information, reminders, and documents; and establish connections with Providers to receive documents paperlessly, all in one place.
doxo is committed to maintaining the confidentiality, integrity and security of any and all personal information about doxo users. This Privacy and Security Policy (the “Policy”) explains how doxo protects information provided through our websites doxostaging.wpengine.com, secure.doxo.com, pay.doxo.com, and user.doxo.com and applications accessing those websites (the “Site”) and how doxo uses that information in connection with the doxo service offered through the Site (the “Service”). “Private Information” for purposes of this Policy means information provided to us that identifies you, such as your name, address, phone number, email address, any account information or other information you store about your relationship with your Providers, and any documents and accompanying information that are stored on your behalf by doxo. doxo privacy standards are designed to guard against identity theft, to protect sensitive data, and provide security for your Private Information. doxo regularly re-evaluates privacy and security policies and adapts them as necessary to deal with new challenges. Capitalized terms used by not defined in this Policy will have the meanings defined in the doxo User Terms of Service
1. Your Private Information is not for sale
Simply put, doxo will not sell or rent your Private Information to anyone, for any reason, at any time. doxo uses and discloses your Private Information only as follows:
- to deliver and post your payments to Providers;
- to analyze Site usage and improve the Service;
- to deliver to you any administrative notices, alerts and communications relevant to your use of the Service;
- for market research, project planning, troubleshooting problems, detecting and protecting against error, fraud or other criminal activity;
- to third-party contractors that provide services to doxo and are bound by privacy restrictions at least as protective as this Policy (e.g. auditors, technical consultants);
- to enforce the doxo User Terms of Service; and as otherwise set forth in this Policy.
2. What information doxo collects and stores for you
Certain areas and features of the Site are available to you without registration or the need to provide doxo any information. However, other features of the Site or the Service require registration, which may involve provision to doxo of an email address, a password and your zip code (collectively the “Registration Information”). In order to benefit from the full functionality of the Service, you may be required to provide additional information:
- if you choose to establish a “connection” with a Provider on doxo (“Connect” or “Connection”) and/or if you choose to make a payment on doxo, you also may be required to provide your account credentials for those Providers (“Account Credentials”). When you submit Account Credentials for a Provider within the Service, you elect to share certain information from your doxo user profile with that Provider or other information (“Account Information”), and any Account Information or documents you exchange with that Provider will be accessible to that Provider.
doxo may de-identify or aggregate Private Information and use and disclose such data only in a non-personally identifiable manner to:
- improve the design, functionality and content of the Service;
- to enable Providers to improve their use of the Service and to benefit their customers through the Service;
- to provide reports and analysis that may benefit doxo users or Providers; or
- to develop products and services that might interest doxo users and Providers.
3. Changes to the information doxo collects
If your Registration Information or any other information stored in doxo changes, you may update it any time by logging into the Service and editing the information online via your account.
4. Technologies doxo uses to optimize your experience
When you visit the Site, doxo may collect session activity (including replay activity) and technical and navigational information, such as computer browser type, Internet Protocol address, pages visited, and average time spent on the doxo Site and store it in log files. This information does not include information such as payment card number or financial information and may be used, for example, to alert you to software compatibility issues, to ensure successful payment delivery, optimize the user experience, and assist in customer support requests, or it may be analyzed to improve the design and functionality of the Site or Service.
We may combine this automatically collected log information with other information we collect about you. We do this to provide customer support to you, and to improve the quality and functionality of the Service we offer to you. Technologies such as: cookies, beacons, tags and scripts are used by doxo and our analytics or service providers (e.g. online customer support provider). These technologies are used in analyzing trends, administering the Site, tracking users’ movements around the Site and to gather demographic information about our user base as a whole. We may receive reports based on the use of these technologies by these companies on an individual as well as aggregated basis.
5. How we share information with 3rd parties
doxo does not share your Private Information with third parties for their promotional or marketing purposes. doxo may share your Private Information with third party service providers who assist doxo in providing Service to you or who provide fraud detection or similar services on doxo’s or any vendor’s behalf. doxo has contracts with these service providers that only allow them to use your Private Information in connection with the services they perform for doxo and not for their own benefit.
6. Disclosure of information when required by law
Notwithstanding anything to the contrary in this Policy, doxo reserves the right (and you hereby authorize doxo) to share and disclose your Private Information when doxo determines, in its sole discretion, that the disclosure of such information is necessary or appropriate:
- To enforce doxo’s rights against you or in connection with a breach by you of this Policy or the doxo User Terms of Service;
- To prevent prohibited or illegal activities; or
- When required by any applicable law, rule regulation, court order, warrant, subpoena or other legal process.
In such an event, if permitted by law, doxo will make reasonable efforts to notify you and give you the opportunity to seek a protective order. If doxo is involved in a merger, acquisition, or sale of all or a portion of its assets, you will be notified via email and/or a prominent notice on our Web site (doxostaging.wpengine.com) of any change in ownership or uses of your Private Information, as well as any choices you may have regarding your Private Information. Should such a change occur, doxo will require that the new entity follow this Policy with respect to your Private Information. If your Private Information could be used contrary to this Policy, you will receive prior notice and the opportunity to communicate preferences you may have, if applicable.
7. You have complete control over your data
Your data is yours. You can remove it anytime you want. We will retain your information for as long as your account is active or as needed to provide the Service to you. If you wish to cancel your account or request that we no longer use your information to provide the Service to you, you may close your account using the settings menus, and if you have questions you may contact us at support.doxo.com. We, and our service providers, will retain and use your information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements. When you request doxo to delete your doxo account, your data will be permanently expunged from doxo’s primary production servers and further access to your account will not be possible. doxo will also promptly disconnect any Connection between you and Providers on the Service. All Providers that you were Connected to will be notified that you no longer choose to be Connected via doxo and it is up to each Provider to begin communications via alternative means (for example, begin sending documents to you via US Mail instead of doxo). It is the responsibility of the Provider to take action and facilitate communication with you through the appropriate channel. doxo may also retain aggregated or de-identified data derived from your Account Information indefinitely. Your information may also remain on a backup server or media. If your Private Information changes, or if you no longer wish to use the Service, you may correct, update or delete inaccuracies by making the change within your account and you can request assistance by visiting us at support.doxo.com.
8. Email communications from doxo
doxo provides you with periodic summaries of your account and email alerts for certain events having to do with your doxo account – for example, when a Connection with a Provider has been accepted or declined, a Provider we believe you might have a relationship with has joined the doxo network, a new document from a Provider is received, information about payments, when a bill is coming due, or if new product features have become available to you. You have the ability to opt-out of receiving some emails via settings in doxo or by clicking the unsubscribe mechanism in the email doxo sends you
9. Your data is accessible only by you
doxo uses a combination of firewall barriers, encryption techniques and authentication procedures, among others, designed to maintain the security of your online session and to protect doxo accounts and systems from unauthorized access. When you register for the Service, doxo requires a password from you for your privacy and security. doxo servers are operated in highly secure facilities. Access requires multiple levels of authentication, including biometrics (hand print scan) procedures. Security personnel monitor the facilities 7 days a week, 24 hours a day. doxo databases are protected from general employee access both physically and logically. doxo encrypts your Service password so that your password cannot be recovered, even by doxo. All backup drives and tapes also are encrypted. All Private Information (including any documents stored on your behalf) is always encrypted with 256 bit encryption or better, and is only viewable by you after entering your login credentials. No employee may put any sensitive content on any insecure machine (i.e., nothing can be taken from the database and put on an insecure laptop). doxo tests the Site daily for any failure points that would allow hacking. However, it is important to understand that these precautions apply only to the Site and doxo systems. doxo exercises no control over how your information is stored, maintained or displayed by you, third parties or on third-party sites. No method of transmission over the Internet, or method of electronic storage, is 100% secure. Therefore, we cannot guarantee absolute security
10. doxo uses highly secure communications
From the time you submit your login credentials, the communications between your computer and doxo are encrypted using industry-standard 128 bit TLS 1.1 or higher technology or better. TLS enables client and server applications to communicate in a way that is designed to prevent eavesdropping, tampering and message forgery. Any data transmitted between one of your Providers and doxo (e.g. when establishing a Connection or sending and receiving documents from the Provider) is secured using TLS and encrypted in transport between the Provider and doxo.
11. You are responsible for protecting your access credentials
doxo maintains strict rules to help prevent others from guessing your password. doxo also recommends that you change your password periodically. You are responsible for maintaining the security of your doxo user name and password. You are specifically restricted from providing these credentials to any third party. If you believe that they have been stolen or been made known to others, you must contact doxo immediately at email@example.com and change your password immediately via the Service. doxo is not responsible if someone else accesses your account through Registration Information they have obtained from you or through a violation by you of this Policy or the doxo User Terms of Service.
If you have a security related concern, please contact doxo at firstname.lastname@example.org. doxo will work closely with you to ensure a rapid and personal response to your concerns. Our Site may offer publicly accessible blogs or community forums. You should be aware that any information you provide in these areas may be read, collected and used by others who access them. To request removal of your Private Information from our blog or community forums, contact us at email@example.com. In some cases, we may not be able to remove your Private Information, in which case we will let you know if we are unable to do so and why.
12. Doxo posts updates to this Policy from time to time
doxo reserves the right to modify this Policy at any time, so please review it frequently. If doxo makes material changes to this Policy, doxo will notify you here, by email, by means of a notice to the doxo home page, or via a notification in your doxo account prior to the change becoming effective. The date last revised appears at the top of the Policy.
13. Contact Doxo if you have questions or concerns
If you have questions, comments, concerns or feedback regarding this Policy or any other privacy or security concern, send an e-mail to firstname.lastname@example.org. Doxo Inc. 101 Stewart St Suite 800 Seattle, WA 98101.
14. Your California Privacy Rights
The California Consumer Privacy Act of 2018 (“CCPA”) provides certain rights to residents of California. This section of the Policy applies if you are a natural person who is a resident of California (“California Consumer”) and uses our Service. This notice supplements the information in the Policy with respect to California Consumers. Certain terms used below have the meanings given to them in the CCPA. We collect and disclose the following categories of personal information as indicated below:
|A. Identifiers such as a real name, alias, postal address, telephone or mobile contact number, unique personal identifier, online identifier, Internet Protocol address, email address and account name.||Yes||Yes|
|B. Personal information as defined in the California customer records law, such as name, contact information, and financial information.||Yes||Yes|
|C. Characteristics of protected classifications under California or federal law, such as gender and date of birth.||Yes||No|
|D. Commercial information, such as transaction information, purchase history, financial details and payment information.||Yes||Yes|
|E. Biometric information, such as fingerprints and voiceprints.||No||No|
|F. Internet or other electronic network activity information, such as browsing history, search history, online behavior, interest data, and interactions with our and other websites, applications, systems and advertisements.||Yes||Yes|
|G. Geolocation data, such as device location.||No||No|
|H. Audio, electronic, visual and similar information, such as images and audio, video or call recordings created in connection with our business activities.||Yes||No|
|I. Professional or employment-related information, such as job title as well as work history and experience.||No||No|
|J. Education information subject to the federal Family Educational Rights and Privacy Act, such as student records.||No||No|
|K. Inferences drawn from any of the personal information listed above to create a profile or summary about, for example, an individual’s preferences and characteristics.||Yes||No|
We collect this personal information from you and from other categories of sources such as: public and publicly available sources; our vendors, data suppliers, and service providers; and partners with which we may offer co-branded services or engage in joint event or marketing activities.
We share this personal information with: our service providers; the administrators authorized by Providers with whom you Connect and/or pay, and other parties where required by law or to protect our rights. For more details, please see Section 5 (How we share information with 3rd parties) and Section 6 (Disclosure of information when required by law) of this Policy.
We may use this personal information to: operate, manage, and maintain our business, to provide our products and services, to communicate with you, for our vendor management purposes, and to accomplish our business purposes and objectives, including, for example, using personal information to: develop, improve, repair, and maintain our products and services; process or fulfill a request or other transactions submitted to us; personalize our products and services; provide customer support; conduct research, analytics, and data analysis; undertake quality and safety assurance measures; conduct risk and security control and monitoring; detect and prevent fraud; perform identity verification; perform accounting, audit, and other internal functions; comply with law, legal process, and internal policies; maintain records; exercise and defend legal claims; and fulfill legal obligations.
Doxo does not sell personal information to third parties within the scope of the application of the CCPA.
California Privacy Rights
California residents have the right to request:
- The categories of personal information we collect, along with the categories of sources from which we collect such information, the categories of third parties to whom we disclose it, and the business purposes for such disclosure;
- The specific pieces of information we have collected about you;
- Deletion of certain personal information we have collected from you; and
- To opt-out of the sale of your personal information, to the extent that such sales occur.
We will not deny, charge different prices for, or provide a different level of quality of services if you choose to exercise these rights. Note that each of these rights is subject to certain restrictions and exceptions under California law; for example, we may need to retain certain information for record keeping or legal purposes.
California residents may exercise their California privacy rights by submitting a request via one of the methods in the “How to Contact Us” section. You also have the right to designate an agent to exercise these rights on your behalf.
For security purposes, we will verify your identity – in part by verifying your email account or requesting certain information from you – when you request to exercise your California privacy rights. Once we have verified your identity (and your agent, as applicable), we will respond to your request as appropriate. Consistent with California law, we do not disclose government IDs or financial account numbers.
Shine the Light Disclosure
The California “Shine the Light” law gives residents of California the right under certain circumstances to request information regarding the manner in which we share certain categories of Personal Information (as defined in the Shine the Light law) with third parties for their direct marketing purposes. We do not share your Personal Information with third parties for their own direct marketing purposes.