Skip to content

About this Privacy Policy

This privacy policy explains what Ebsta does with personal data. Please read it carefully. If there is anything you don’t understand, please email us at privacy@ebsta.com and we will be happy to explain further.

We last updated this privacy policy on the 11th October 2017. As our various services grow and evolve, and as changes in the law arise, we may need to update it from time to time. Updated versions will be posted on this page. If appropriate, we will also notify those affected by email of any significant changes.

Who we are and What we do

We are Ebsta Limited. Our main office is at Congress House, 2328 Great Russell Street, London WC1B 3LS.

Ebsta offers two products, each with two pricing plans, which help our customers integrate their email, LinkedIn and, dependent on package, calendar systems with CRM systems to ensure that the data they hold about their customers in their CRM systems is as up-to-date as possible.

These products are (a) the base Ebsta browser extension, which has limited functionality; and (b) the full Ebsta Managed Package. There are significant differences between how each product handles personal data, which we explain further below.

For more details about the products we offer, and what is included in each of the pricing plans, please see our Pricing Page.

Who controls your information and who to contact in relation to your information

Because of what we do, who controls your information varies depending on the type of information.
Any enquiries in relation to your information, or any request to exercise your rights under data protection law in respect of your information, should be directed to the person that controls your information, as set out below.

Please see “What are my rights in relation to my information” further below for details of what rights you have over your information.

If your information is collected by an Ebsta product

An Ebsta product used by one of our customers may collect some of your information where you have a relationship with that customer. That relationship may be by virtue of exchanging emails or calendar invites with the customer, or interacting on professional, social or other websites where your information is shared.

However, where Ebsta collects your information in these circumstances, it does this on behalf of the customer in question and it is that customer that controls your information. Any queries or requests to exercise any of your rights in relation to your information should therefore be directed to that customer.

Whilst we do not control your information in these circumstances, the information contained on this page may still be useful to you in understanding how the Ebsta product works, and how it collects your information on behalf of our customer.

If you have a direct relationship with Ebsta

Examples include where you are an employee of Ebsta, a customer of Ebsta or a supplier to Ebsta. However, if you are an employee of Ebsta, please see the [staff handbook], as this policy does not apply to you.

In these circumstances, Ebsta controls your information to the extent that it relates to that relationship, and any queries or requests to exercise any of your rights in relation to that information should be directed to Ebsta.

Where a person has a direct relationship with Ebsta, we will generally stop processing that person’s personal data if they ask us to, unless we have a good and lawful reason to continue doing so (such as to recover a debt or to investigate abuse of our services). However, if an Ebsta user asks us to stop processing their personal data, then depending on the precise scope of the request we may not be able to continue to provide our services to that user, or the customer that user works for. We do not offer refunds in those circumstances.

If you also have relationships with Ebsta’s customers, Ebsta’s customers may also control some of your information separately (see above, “If your information is collected by an Ebsta product”).

The information we collect, how we collect it, why we collect it, and what we do with it

CRM systems – customers of Ebsta only

When an Ebsta customer creates an account with Ebsta to use any of our services, we ask them to authorise us to interact with their CRM system. We use that authorisation to access the information we need in the CRM system for account administration, for providing our services and for communicating with your business about our services. You can read more detail about any of those purposes below.

Account administration

As part of our account creation process, we collect contact details and related data from each Ebsta user’s CRM system account. For this reason, we recommend that our customers set up CRM system users using their business contact details.

We collect that data, as a data controller, in order to allow us to create and administer users’ accounts with us, to set up the business they work for as our customer, to enable us to communicate with our customer about our services, to assess the correct licensing levels for our customer, to ensure compliance with our terms of service and to enable us to provide our services effectively. In our terms of service, the business that is our customer has agreed that we can do this, and that it has the right to allow it.

Our legal basis for processing information in this way is necessity for the performance of our contract, or trial contract, with our customer, the employer of the users. Failure to allow Ebsta to process information in this way will prevent Ebsta from providing its services to the customer.

We retain this data throughout the period that the customer remains a customer or active product user and for two years following termination of the customer contract or the user ceasing use (as the case may be).

Providing our services

To provide our services, we obviously need access to the data in the customer’s CRM system.

Users can revoke our access to their CRM system at any time, although of course if they do so we will not be able to continue to provide the Managed Package.

Where we access a customer’s CRM system, we do so as a data processor. It is therefore for our customer to establish the purpose and lawful basis for the processing of any personal information that this entails.

For the Ebsta Managed Package, regardless of the price plan you are on, we do retain copies of that data on our systems. Doing so enables us to provide the greatly enhanced functionality offered by the Managed Package. We retain this data for 60 days beyond contract termination.

Communications about our products and services

We also use the contact details we collect in the course of account administration to inform users from time to time about new products or services which we offer, and to invite our customers to consider upgrading to additional services. We will not use that data to market anyone else’s products or services, and we will stop sending nonessential communications to users if they ask us to.

Our legal basis for processing is consent. The contact details we use will be those collected at the time you create your account, we will only ever market similar products and services supplied by Ebsta and we will offer you an opportunity to opt-out on each communication.

We retain this data throughout the period that the customer remains a customer or active product user and for two years following termination of the customer contract or the user ceasing use (as the case may be).

Email – persons with relationships with our customers

A key part of our services is the ability to analyse and crossreference the CRM data with data locked up in our customer’s email mailboxes. In doing so, information (which may include personal information) from an email, or the email itself, may be placed on the customer’s CRM system.

How we do this, and what we do with emails beyond syncing them (or information in them) to a customer’s CRM system differs considerably between the application extension packages and the Ebsta managed packages, as set out below.

Where we process a customer’s emails (which may contain personal information), we do so as a data processor. It is therefore for our customer to establish the purpose and lawful basis for the processing of any personal information that this entails.

Application extensions

For the application extensions, crossreferencing is done purely transitionally as needed.

Copies of emails/documents are passed to Ebsta servers for processing, but we do not retain copies once they have been processed.

We do not retain copies of emails or documents processed via the application extensions.

Managed package

Where a customer has taken a managed package, when that customer signs up to use it we ask them to authorise us to access and analyse their business’ emails in order to provide that service.

We do that by means of the relevant email vendor’s API (if the email is accessed via a cloud service such as Google Apps or Office 365) or by interfacing directly with the customer’s email system (such as Exchange). This is done systematically for every email sent or received by a mailbox connected to Ebsta by the customer user.

We do retain copies of emails which we analyse as part of providing the managed package, because it is necessary in order to provide that service for performance reasons. However, we do so as data processor and only retain these emails for 60 days beyond the date on which our customer ends their contract.

Managed Package customers can control the visibility of emails within their organisation, either by each individual end user setting permissions in respect of his or her own email or, in the case of our enterprise services, by the customer’s administrator setting global permissions applicable to all user’s within that customer’s business.

Please note that, unless you set permissions correctly, emails held in mailboxes connected to Ebsta will be visible to other people working in your organisation.

In our terms of service, our customer has agreed that we can do this, and that it has the right to allow it on behalf of its users. It is our customer’s responsibility to ensure that it sets permissions correctly to ensure that users do not see emails that they should not see.

We do not share the contents of the emails we collect with anyone outside a customer’s organisation.

Managed Package Fair Usage Policy

The following fair usage terms apply:

1. Volume of emails processed per annual subscription – Ebsta will attempt to process up to 20,000 emails per individual annual subscription. (shorter contracts will be calculated prorata). If this limit is exceeded Ebsta reserves the right to stop processing emails for the mailbox in question until a new subscription is assigned.

2. Processing of historical emails – Ebsta charge a setup fee to process historical emails. This setup fee is calculated on the number of months’ worth of historical data the Customer wants processed into Ebsta. We apply a fair usage cap of 20,000 emails per 12 months of historical data purchased (calculated on a pro rata basis for shorter periods). If this fair usage cap is exceeded Ebsta reserves the right to stop processing emails for the mailbox in question until an additional set up fee is agreed.

3. Transfer of license between email addresses – Customers may transfer mailbox licenses midterm without charge. The original mailbox will become inactive, and Ebsta will attempt to process emails for the new mailbox from the date the license is allocated. If the Customer wants historical emails processed for the new mailbox a separate set up charge will apply.

4. Data sourced from inactive mailboxes – Ebsta will continue to make data sourced from inactive mailboxes visible as long as the customer has live licenses for a minimum of 50% of the mailboxes under management.

5. Viewing the Ebsta Managed Package – Users that have a paid subscription/active mailbox connected to Ebsta get unrestricted access to the Ebsta managed package services they have subscribed to. Ebsta reserves the right to limit access or functionality to users that do not have a paid subscription.

Email Tracking – persons with relationships with our customers

The chrome extension “Growth” plan and both managed packages include an option for Ebsta customers to include a small invisible image file unique to the recipient which is hosted on an Ebsta server. When the email is opened, and provided the image is loaded, we tell the customer (a) that the email has been opened by its recipient; (b) what type of device they opened the email on; (c) the time at which the email was opened; and (d) the location at which the email was opened (based on IP address, if provided).

To disable this functionality a recipient of emails from an Ebsta customer can disable the display of inline images in the settings of their email client or webmail.

Where we track a person’s emails in this way, we do so as a data processor for our customer. It is therefore for our customer to establish a lawful basis for the processing of any personal information that this entails.

We retain this data for 60 days beyond the date on which our customer ends their contract.

Browser Plugin – users of Ebsta products (i.e. employees of Ebsta customers)

We use the browser plugin itself to collect the personal information described below. The browser plugin does not collect any other personal data. In particular, we do not intercept any secure communications to or from the user’s device or collect any login information for the user’s device.

We act as data controller where we collect this data. We do so for the purposes highlighted below, and in each case our lawful basis for this processing is legitimate interests. Our legitimate interest in collecting this personal information is the improvement of our products and services.

We retain this data throughout the period that the customer remains a customer or active product user and for two years following termination of the customer contract or the user ceasing use (as the case may be).

Information about other browser plugins

Our browser plugin also collects information about other browser plugins installed in the user’s browser. We do this to help us to understand how our customers use our services in conjunction with other products, to help us to detect and fix incompatibilities between plugins and to help us improve our services.

Cookies – users of Ebsta’s products and website visitors

Like most web services, we use cookies to allow our services to work properly, and to provide us with feedback on how people use our services and our website so we can make them better.

Cookies are small text files stored in a browser’s cache by our servers and which our servers can read when that browser accesses our site or our services. The Information Commissioner’s website has more detail about how cookies work.

We assume that people using our services or accessing our website consent to our use of cookies.

Where the use of cookies is non-essential (e.g. to provide Ebsta with feedback on how people use our services and our website), our lawful basis for processing is consent, which we imply should you continue to use our website (pursuant to Regulation 6 of the Privacy and Electronic Communications (EC Directive) Regulations 2003). You can withdraw your consent by disabling the placing of cookies via your browser settings, but note that this may prevent our services or website from working correctly where essential cookies are also used.

Where the use of cookies is essential (in order to allow our services to work properly), our lawful basis for processing is necessity for the performance of an express or implied contract. If you refuse to allow this processing to take place, we are unable to provide our services or website (as the case may be) to you.

The cookie itself will be retained on your computer until you clear your cookies through browser settings or until the expiry date set on that cookie is reached. The data that we derive from the cookie is retained throughout the period that the customer remains a customer or active product user and for two years following termination of the customer contract or the user ceasing use (as the case may be).

Who we share personal information with and why

We share personal data with some of our suppliers to the extent necessary to allow us to provide and market our own services. For example, personal data will be stored by our hosting providers, and payment information will be processed by our payment processor. Where we do share personal data with our suppliers, we share it with them as our data processor.

Export of personal information outside the EEA

In certain limited circumstances, we do export personal data outside of the EEA for processing, and we do use third party service providers who do the same.

We only do that if there is a good reason to do it and where adequate safeguards (such as the appropriate contractual arrangements with suppliers) are in place. For example, we process personal data on Amazon’s AWS platform at a number of geographical locations around the world in order to improve the speed and resilience of our service for our customers.

Ebsta has signed Amazon’s AWS data processing addendum, which has been approved by the Article 29 Working Party.

Our Security Precautions

We protect our own systems with appropriate technical and organisational measures, including firewalls, access control systems, strong passwords, antivirus software, and robust information security policies. We actively monitor our systems for signs of attack or intrusion. For more information, see our security statement.

However, there are certain aspects of the security of personal data processed by us which are beyond our control. In particular:

  • Personal data stored in a user’s account with us is only as secure as the password which is used to access that account. We expect our users to keep their passwords secure, and to change them promptly if they are compromised.
  • We access our customers’ external cloud services such cloud CRM systems and Office 365 using security access tokens issued to us by the provider of that service. We cannot control, and are not responsible for, any security failure in that provider’s systems or APIs.

Your rights over your personal data and how to exercise them

The law gives you certain rights in respect of the information that we hold about you. Below is a short overview of the most commonly-used rights. It is not a complete, exhaustive statement of your rights in respect of your personal data. The website of the Information Commissioner’s Office (http://www.ico.org.uk) has a wealth of useful information in respect of your rights over your personal data.

If you wish to exercise your rights, you should contact the person that controls your data, as highlighted above in the section entitled “Who controls your information and who to contact in relation to your information”.

Your right to withdraw your consent, including to marketing communications

When we process your information on the basis of your consent as the controller of that information (see the section entitled “Who controls your information and who to contact in relation to your information” above), you have the right to withdraw that consent at any time. You can do that by:

  • Emailing us at optout@ebsta.com.
  • Writing to our head office at the address above, for the attention of the compliance team.
  • In the case of marketing emails, by following the instructions contained in the email.

If we are doing something with your data on the basis of your consent and you withdraw it, we will stop doing it.

Accessing your personal data held by us

If you want to exercise a legal right to access your personal data controlled by Ebsta (see the section entitled “Who controls your information and who to contact in relation to your information” above), the easiest and most efficient way to do so is to email subjectaccessrequest@ebsta.com or write to our head office at the address above, for the attention of the compliance team. We may make a charge of up to £10 to cover our costs in responding to such requests.

Note that in some cases an exception may apply, which we will raise with you if applicable.

Your right to have inaccurate information about you corrected

You have the right to have the information we hold about you corrected if it is factually inaccurate.

If you are a customer, or a user of a customer, the easiest way to do this is by updating your CRM account, which Ebsta syncs with. If auto-sync does not work, please email support@ebsta.com.

If you are not a customer of Ebsta, or a user of a Ebsta customer, please contact the controller of your data (see the section entitled “Who controls your information and who to contact in relation to your information” above).

Your right to have your information deleted in some circumstances

In some circumstances, and where we control your data (see the section entitled “Who controls your information and who to contact in relation to your information” above), you have the right to require us to delete the information that we hold about you.

In particular, if we are processing your personal information as a data controller on the basis of your consent and you withdraw your consent to that processing, then we will delete the relevant data from our systems unless we have another lawful basis for keeping it.

Your right to complain to the ICO

You also have the right to lodge a complaint about our handling of your personal information with the Information Commissioner’s Office. You can contact them on 0303 123 1113.