We are Ebsta Limited. Our main office is at Congress House, 23-28 Great Russell Street, London, WC1B 3LS.
We offer two products. The base Ebsta browser extension, which has limited functionality, and the full Ebsta Managed Package. There are significant differences between how each product handles personal data, which we explain below.
The base browser extension works with your Salesforce account, your browser-based email and your calendar, allowing you to see Salesforce information about a person from your email, to update Salesforce from within your email and to synchronise your Salesforce calendar with your Google calendar. It also works with social networks and certain other sites, to show the user information which they have in Salesforce about a person when you view their profile or website. We may add additional functionality to the base browser extension in future, for example by supporting additional websites or services.
The full Ebsta Managed Package is an enterprise product which keeps track of who your team are exchanging emails with and extracts key information from those email exchanges (e.g. contact details in email signatures and the frequency of email exchanges). We use that information to create a record for everyone your company exchanges emails with, and those records are then compared to your CRM data in Salesforce to identify which records are new, what updates might be available and the depth or currency of each relationship.
In summary, the Ebsta Managed Package best endeavours to show:
What we collect, what we do with it and why
We mainly collect personal data:
We also create and analyse statistical data based on the data we collect, in order to identify market trends and metrics, to improve our services and for other related commercial purposes. We process personal data to the extent necessary to create that statistical data. We cannot identify any individual from that statistical data and, in the interests of clarity, it will not include any information specific to the business that is our customer.
When someone creates an account with us to use any of our services, we ask them to authorise us to interact with their Salesforce account. We use that authorisation to access the information we need in Salesforce for account administration, for providing our services and for communicating with your business about our services. You can read more detail about any of those purposes below.
As part of our account creation process, we collect contact details and related data from each Ebsta user’s SalesForce account.
We collect that data in order to allow us to create and administer users’ accounts with us, to set up the business they work for as our customer, to enable us to communicate with our customer about our services, to assess the correct licensing levels for our customer, to ensure compliance with our terms of service and to enable us to provide our services effectively. In our terms of service, the business that is our customer has agreed that we can do this, and that it has the right to allow it.
To provide our services, we obviously need access to the data in the customer’s SalesForce organisation.
For the Ebsta Managed Package, we do retain copies of that data on our systems. Doing so enables us to provide the greatly enhanced functionality offered by the Managed Package. Users can revoke our access to their SalesForce account at any time, although of course if they do so we will not be able to continue to provide the Managed Package.
We also use the contact details we collect in the course of account administration to inform users from time to time about new products or services which we offer, and to invite our customers to consider upgrading to additional services. We will not use that data to market anyone else’s products or services, and we will stop sending non-essential communications to users if they ask us to.
A key part of our services is the ability to analyse and cross-reference the CRM data with data locked up in a customer’s email mailboxes. How we handle emails differs considerably between the base browser extension and the full Ebsta managed package, as set out below.
For the browser extension, cross-referencing is done purely transitionally as needed, and we do not retain copies of any emails.
For the Managed Package, when a customer signs up to use it we ask them to authorise us to access and analyse their business’ emails in order to provide that service. We do that by means of the relevant email vendor’s API (if the email is accessed via a cloud service such as Google Apps or Office 365) or by interfacing directly with the customer’s email system (such as Exchange).
We do retain copies of emails which we analyse as part of providing the managed package, because it is necessary in order to provide that service.
Managed Package customers can control the visibility of emails within their organisation, either by each individual end user setting permissions in respect of his or her own email or, in the case of our enterprise services, by the customer’s administrator setting global permissions applicable to all user’s within that customer’s business.
Please note that, unless you set permissions correctly, emails held in mailboxes connected to Ebsta will be visible to other people working in your organisation.
In our terms of service, our customer has agreed that we can do this, and that it has the right to allow it on behalf of its users. It is our customer’s responsibility to ensure that it sets permissions correctly to ensure that users do not see emails that they should not see.
We do not share the contents of the emails we collect with anyone outside a customer’s organisation.
The following fair usage terms apply –
We use the browser plugin itself to collect the personal data described below. The browser plugin does not collect any other personal data. In particular, we do not intercept any secure communications or collect any login information.
Our browser plugin collects information about websites you visit. Doing this helps us to understand how our customers use our services and which websites they use them with, so we can work out where to concentrate our improvement efforts; for example, if a large number of people are using our services with a particular website, that information will help us to know that we need to direct more resources to ensuring that our services work well with that website.
Our browser plugin also collects information about other browser plugins installed in the user’s browser. We do this to help us to understand how our customers use our services in conjunction with other products, to help us to detect and fix incompatibilities between plugins and to help us improve our services.
Cookies are small text files stored in a browser’s cache by our servers and which our servers can read when that browser accesses our site or our services. The Information Commissioner’s website has more detail about how cookies work generally here
We share personal data with some of our suppliers to the extent necessary to allow us to provide and market our own services. For example, personal data will be stored by our hosting providers, and payment information will be processed by our payment processor. We would be happy to provide further details to our customers about the suppliers we use to process data for us; please contact firstname.lastname@example.org for more information.
Export of personal data outside the EEA – In certain limited circumstances, we do export personal data outside of the EEA for processing, and we do use third party service providers who do the same. We only do that if there is a good reason to do it and where adequate safeguards (such as the appropriate contractual arrangements with suppliers) are in place. For example, we process personal data on Amazon’s AWS platform at a number of geographical locations around the world in order to improve the speed and resilience of our service.
We protect our own systems with appropriate technical and organisational measures, including firewalls, access control systems, strong passwords, anti-virus software, and robust information security policies. We actively monitor our systems for signs of attack or intrusion.
However, there are certain aspects of the security of personal data processed by us which are beyond our control. In particular:
We will generally stop processing a person’s personal data if they ask us to, unless we have a good and lawful reason to continue doing so (such as to recover a debt or to investigate abuse of our services). However, if an Ebsta user asks us to stop processing their personal data, then depending on the precise scope of the request we may not be able to continue to provide our services to that user, or the customer that user works for. We do not offer refunds in those circumstances.
Except for information which an Ebsta user has specifically requested from us, our marketing communications and newsletters will always provide a reasonably obvious means of opting out of such communications in future. In any event, if you want to stop receiving some or all marketing communications from us, you can let us know by email to email@example.com or by writing to our head office at the address above, for the attention of the compliance team.
If you want to exercise a legal right to access your personal data held by us, the easiest and most efficient way to do so is to email firstname.lastname@example.org or write to our head office at the address above, for the attention of the compliance team. We may make a charge of up to £10 to cover our costs in responding to such requests.