Sybill Inc. (together with its subsidiaries and affiliates – “Sybill”, “Sybill.ai”, “we”, “our” or “us”) puts great efforts in making sure that the personal data processed by us is safe and used properly, and that our data practices are properly communicated to our customers, users and prospects.
By using our Services, you acknowledge that you have read and understood this Privacy Policy. Certain processing activities require your consent, which you can provide or withdraw at any point. Some processing is necessary to provide our Services or to comply with legal obligations. If you are under 18 years of age, please do not use our Services without the involvement of a parent or guardian.
1. Data Controller/Processor
- Sybill as Data Controller: We are the "data controller" (underthe GDPR) or "business" (under the CCPA) for Sybill Website, CRM& Prospect Data. With respect to such data, we assume the responsibilities of the data controller as set forth in this Privacy Policy.
- Sybill as Data Processor: We are the "data processor" of Customer Data, which we process on behalf of our customer (who is the"data controller" of such data). Our Service Providers who process such Customer Data on our behalf are the "sub-processors" of such data.
- Dual Role for Sybill User Data: We are both a "data controller" and "data processor" of Sybill User Data. Such data is processed by Sybill for its own purposes (as described in Section 4), as an independent 'controller'; whilst certain portions of it which are included in Customer Data will be processed by us on our customer's behalf, as a 'processor'.
- Processing According to Instructions: We process Customer Data strictly in accordance with our customer's reasonable instructions and as further stipulated in our Data Processing Addendum and other commercial agreements with such customer. The customer, as controller of such data, will be responsible for meeting any legal requirements applicable to data controllers (such as establishing a legal basis for processing and responding to Data Subject Rights requests concerning the data they control).
- Customer Responsibility: Each customer is solely responsible for providing adequate notice to their account users and customers whose data may be contained in Customer Data - including sufficient reference to the processing of their Personal Data via the Services, and any other information necessary to comply with all applicable privacy and data protection laws; and to obtain all approvals and consents from such individuals as required under such laws.
2. Data Collection & Processing
We collect and process the following categories of personal data:
- Customer Data: Our Services enable Sybill customers to record, transcribe, analyze, and share the contents of their sales communications, including phone calls, video conferences, email, and other correspondences, as well as their CRM and customer contacts (collectively, "Customer Data"). Customer Data typically contains data that relates to identifiable individuals, such as the customer's sales representatives, prospects, and other parties either taking part in their communications or mentioned there. Sybill processes Customer Data, and the personal data contained in it, strictly on our customers' behalf, in accordance with their reasonable instructions.
- Sybill User Data: We collect and generate the following types of personal data concerning users of our Platform:
- user account information (e-mail address and, when applicable, hashed password);
- profile and contact information (name, title, team, company, e-mail, and phone number, and additional information and media submitted by them, their teammates, or their organization);
- Platform usage information (connectivity, technical and aggregated usage data, such as user agent, IP addresses, device data (like type, OS, device ID, browser version, locale, and language settings used), activity logs, session recordings, and the cookies installed or utilized on their device; and
- direct interactions and communications with us (including recordings and transcripts of your calls and emails with us, e.g., for user enablement, support, and training purposes).
- Sybill Website, CRM & Prospect Data: We collect and generate the following types of personal data concerning our website visitors, customers, and prospects:
- Website usage information (connectivity, technical and aggregated usage data, such as user agent, IP addresses, device data (like type, OS, device id, browser version, locale, and language settings used), activity logs, session recordings, and the cookies and pixels installed or utilized on their device;
- Customer account information (contact, contractual and billing details concerning our customers, which may also contain the details of their internal focal persons who directly engage with Sybill concerning their organizational account, e.g. the account administrators, billing contacts and authorized signatories on behalf of the customer; as well as the customer's needs and preferences, as identified to us or recognized through our engagement with them);
- Information concerning our customers and prospects (contact and business details, our communications with such customers and prospects (correspondences, call and video recordings, and analyses thereof), as well as any needs, preferences, attributes, and insights relevant to our potential engagement).
3. Legal Basis for Processing
We process personal data in accordance with applicable data protection laws, including the GDPR. Our processing activities rely on one or more of the following legal bases:
- Contractual Necessity
- Legitimate Interests
- Legal Obligation
- Consent
Where we rely on consent, you have the right to withdraw this consent at any time.
4. Data Retention:
We use personal data for the following purposes:
- Providing, operating and improving our Services
- Authentication and security
- Customer support and service
- Analytics and service optimization
- Marketing and communication
- Legal compliance
5. Data Location & International Transfers
We and our authorized Service Providers maintain, store, and process Personal Data in the United States of America and other locations, as reasonably necessary for the proper performance and delivery of our Services, or as may be required by law.
For transfers of Personal Data from the EEA and UK to the United States or other countries that may not have an adequate level of data protection as determined by these jurisdictions, we implement appropriate safeguards, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension
- Additional technical and organizational measures to ensure an adequate level of protection
6. Data Retention
We retain Customer Data strictly on our customers' behalf, in accordance with their reasonable instructions.
We retain Sybill User Data and Sybill Website, CRM & Prospect Data for as long as it is reasonably necessary:
to maintain and expand our relationship and provide you with our Services and offerings;
to comply with our legal and contractual obligations; or
to protect ourselves from any potential disputes (i.e., as required by laws applicable to log-keeping, records, and bookkeeping, and in order to have proof and evidence concerning our relationship, should any legal issues arise following your discontinuance of use), all in accordance with our data retention policy.
Please note that, except as required by applicable law or our specific agreements with you, we will not be obligated to retain your Personal Data for any particular period, and we are free to securely delete it or restrict access to it for any reason and at any time, with or without notice to you. If you have any questions about our data retention policy, please contact us by email at [email protected].
7. Data Sharing with Third Parties
We may share personal data with third parties for the following purposes:
- Legal authorities when legally required
- Service Providers who process data on our behalf
- Customer account administrators and users within the same organization
8. Cookies and Tracking Technologies
We and our Service Providers use cookies and other technologies for performance, tracking, analytics, and personalization purposes. These technologies fall into the following categories:
- Necessary Cookies: Essential for the basic functionality of our Sites and Platform
- Functional Cookies: Enable enhanced features and personalization
- Analytical Cookies: Help us understand how our Sites and Platform are used
- Marketing Cookies: Used to deliver relevant advertisements and marketing
9. Communications
We send service-related communications necessary for the operation of our Services, and promotional communications you can opt out of at any time.
- Service Communications: We may contact you with important information regarding our Services.
- Promotional Communications: We may also notify you about new features, additional offerings, events, special opportunities, or any other information we think you will find valuable, as our customer, user or prospect.
10. Data Security
We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption, access controls, and other security protocols.
While we make efforts to protect your privacy and implement industry-standard security measures, we cannot guarantee that our Sites, Platform or Services will be immune from any wrongdoings, malfunctions, unlawful interceptions or access, or other kinds of abuse and misuse.
11. Data Subject Rights
Under the GDPR and similar data protection laws, you have the following rights regarding your personal data:To exercise these rights, please contact us at [email protected]. We will respond to all data subject rights requests within one month. This period may be extended by up to two further months where necessary, taking into account the complexity and number of requests.
- Right to Access: You have the right to know if we process your personal data and to access that data.
- Right to Rectification: You have the right to request correction of inaccurate personal data.
- Right to Erasure: You have the right to request deletion of your personal data in certain circumstances.
- Right to Restrict Processing: You have the right to request the restriction of processing in certain circumstances.
- Right to Data Portability: You have the right to receive your personal data in a structured, commonly used, machine-readable format.
- Right to Object: You have the right to object to processing based on legitimate interests and direct marketing.
- Rights Relating to Automated Decision Making: You have the right not to be subject to decisions based solely on automated processing that produce legal effects.
To exercise these rights, please contact us at [email protected]. We will respond to all data subject rights requests within one month. This period may be extended by up to two further months where necessary, taking into account the complexity and number of requests.
12. Automated Decision Making
We may use automated decision-making or profiling in limited circumstances, such as:
- For fraud prevention and security purposes
- To personalize our Services and marketing communications
- To analyze customer interactions and improve our Services
Where we make decisions based solely on automated processing that produce legal effects or similarly significant effects, we will:
- Inform you that we engage in such activities
- Provide meaningful information about the logic involved
- Explain the significance and potential consequences of such processing
- Implement suitable safeguards
- Allow you to request human intervention, express your point of view, or contest the decision
13. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
- Notify the relevant supervisory authority without undue delay.
- Notify affected data subjects without undue delay.
14. EU-U.S.Data Protection Framework
Sybill.ai complies with the EU-U.S. Data Privacy Framework (EU-U.S.DPF) and the UK Extension to the EU-U.S. Data Privacy Framework (DPF) as set forth by the U.S. Department of Commerce. We have certified to the U.S. Department of Commerce that we adhere to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the UK Extension. To learn more about the Data Privacy Framework program, and to view our certification, please visit
https://www.dataprivacyframework.gov/.
This Privacy Notice applies to our processing of personal data transferred to the United States from the European Union/European Economic Area and the United Kingdom. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles, the Principles shall govern.
In compliance with the EU-U.S. DPF, Sybill.ai commits to the following principles:
- Notice: We inform individuals about the purposes for which we collect and use their personal information.
- Choice: We offer individuals the opportunity to choose (the choice to opt out, or opt in for sensitive data) whether their personal information is to be disclosed to a third party (other than our agents) or used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized. To request to limit the use and disclosure of your personal information, please submit a written request to [email protected].
- Accountability for Onward Transfer: If you are an EU or UK individual, where we transfer your personal data to third party service providers who perform services for us or on our behalf, we are responsible for the processing of that data by them and shall remain liable if they process your personal data in a manner inconsistent with the DPF Principles, unless we prove that we are not responsible for the event giving rise to the damage. We will only transfer personal information to third parties that have agreed to provide the same level of privacy protection.
- Security: We take reasonable and appropriate measures to protect personal information from loss, misuse, and unauthorized access, disclosure, alteration, and destruction.
- Data Integrity and Purpose Limitation: We take reasonable steps to ensure that personal information is reliable for its intended use, accurate, complete, and current. We only collect and retain personal information which is relevant to the purposes for which it is to be used.
- Access: We provide individuals with access to their personal information and allow them to correct, amend, or delete inaccurate information, except where the burden or expense of providing access would be disproportionate to the risks to the individual's privacy, or where the rights of persons other than the individual would be violated. An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data transferred to the United States in reliance on the DPF Program should direct their query to [email protected]. If requested to remove data, we will respond within a reasonable timeframe.
- Recourse, Enforcement and Liability: We provide robust mechanisms for assuring compliance with the Principles and recourse for individuals who are affected by non-compliance. With respect to personal data received or transferred pursuant to the DPF Program, we are subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission. In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
Under the DPF, individuals have the right to obtain our confirmation of whether we maintain personal information relating to them. Individuals may also request access to and correction or amendment of their personal data. To exercise these rights, please contact us at [email protected].
In compliance with the DPF Principles, Sybill commits to resolve DPF Principles-related complaints about your privacy and our collection or use of your personal information. European Union and United Kingdom individuals with inquiries or complaints regarding our handling of personal data in reliance on the DPF should first contact Sybill at: [email protected].
Sybill has further committed to refer unresolved DPF Principles-related complaints to a U.S.-based independent dispute resolution mechanism, BBB NATIONAL PROGRAMS. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed by us, please visit www.bbbprograms.org/dpf-complaints for more information and to file a complaint. This service is provided free of charge to you.
If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See https://www.dataprivacyframework.gov/framework-article/ANNEX-I-introduction for more information on this process
15. Children's Data
Our Services are not designed to attract children under the age of 16. We do not knowingly collect Personal Data from children and do not wish to do so.
If we learn that a person under the age of 16 is using the Sites, Platform and/or Services, we will:
- Immediately attempt to prohibit and block such use
- Promptly delete any Personal Data stored with us with regard to such child
- Implement additional safeguards to prevent future unauthorized access
If you believe that we might have any data from or about a child under 16, please contact us by e-mail at [email protected].
16. Additional Notices & Contact Details
- We may update and amend this Privacy Policy from time to time by posting an amended version of our Services.
- You may contact our Data Protection Officer at [email protected].
- If you have any comments or questions regarding our Privacy Policy, or if you have any concerns regarding your Personal Data held with us, please contact Sybill's support at [email protected]. If you are a GDPR-protected individual, you also have the right to lodge a complaint with an EU supervisory authority.