Privacy Policy

Effective Date: 15 August, 2022
Last Updated on: 29 April, 2026
‍
This privacy policy (“Policy”) explains how SuprStack, Inc. or any of its affiliates or subsidiaries (“We”, “Us”, “Our”) acts as a Controller for Personal Data collected directly from users and as a Processor for Personal Data processed on behalf of its Customers.

Capitalised terms not specifically defined herein shall have the meaning ascribed thereto in the Terms.

‍1.1 “Controller” means the natural or legal person, public authority, agency, or other body which alone or jointly with others, determines the purposes and means of the processing of Personal Data.

‍1.2 “Customer” means the natural or legal person that has subscribed to SuprSend by agreeing to the Terms.

‍1.3 “DPF” means the EU–U.S. Data Privacy Framework, and where applicable, the UK Extension to the EU–U.S. Data Privacy Framework and the Swiss–U.S. Data Privacy Framework, as administered by the U.S. Department of Commerce.

‍1.4 “Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

‍1.5 “Process/Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

‍1.6 “SuprSend” means Our proprietary notification infrastructure platform that enables multi-channel notification management across email, SMS, mobile push, web push, in-app inbox, Slack, Microsoft Teams, WhatsApp, and other messaging channels through a unified API, including individually and collectively the API, Software, and any Documentation and any updates, modifications, or improvements thereto.

‍1.7 “Independent Recourse Mechanism” means an independent, third-party dispute resolution body designated to address and resolve complaints regarding the organization’s handling of Personal Data under the Data Privacy Framework. Such a mechanism is made available to individuals at no cost and operates in accordance with the DPF Principles to provide appropriate recourse where complaints cannot be resolved directly by the organization.

‍1.8 “Terms” shall mean the Terms of Service available at https://www.suprsend.com/terms

2.3 Third-Party Safeguards. Where We share Your Personal Data with third parties (as described in the tables above), We take reasonable steps to ensure that such third parties provide adequate protection for Your Personal Data. For details on Our onward transfer obligations and the safeguards We require from third parties, please refer to clause 3.

‍2.4 Record of Processing Activities. We maintain an internal register of Our processing activities (a "Record of Processing Activities" or "ROPA") in accordance with applicable data protection laws.

‍2.5 If You provide Us with any Personal Data relating to other individuals, You represent that You have the authority to do so, and where required, have obtained the necessary consent, and acknowledge that it may be used in accordance with this Policy. If You believe that Your Personal Data has been provided to Us improperly, please contact Us by using the information in clause 12 below.

2.6 In addition to the details provided in the tables above, We may also share Your Personal Data with an entity to which we divest all or a portion of Our business, or otherwise in connection with a merger, consolidation, change in control, reorganisation or liquidation of all or a portion of Our business. We may also share with law enforcement authorities, government authorities, courts, dispute resolution bodies, regulators, auditors, and any party appointed or requested by applicable regulators to carry out investigations or audits of Our activities. We may share with professional advisors who advise and assist Us in enforcing Our contracts and policies, handling Our claims, effective management of Our company and in relation to any disputes We may become involved in.

3.1 When We transfer Personal Data to third parties acting as Our agents or service providers, We do so only for limited and specified purposes and in accordance with Our documented instructions. We require such third parties to provide at least the same level of privacy protection as is required under DPF Principles and applicable data protection laws and to notify Us if they can no longer meet these obligations. In the event a third party notifies Us that it can no longer meet its obligations, or We otherwise become aware that a third party is Processing Personal Data in a manner contrary to applicable data protection requirements, We will take reasonable and appropriate steps to stop and remediate such Processing.

3.2 When We transfer Personal Data to third parties in any other jurisdiction, We do so in accordance with DPF Principles and applicable data protection laws and ensure that appropriate safeguards are in place, such as Standard Contractual Clauses, Binding Corporate Rules, or other legally recognised transfer mechanisms.

3.3 SuprStack, Inc. remains responsible and liable under the DPF Principles if third-party agents process Personal Data on our behalf in a manner inconsistent with the DPF Principles and any data protection laws, unless We prove that We are not responsible for the event giving rise to the damage.

3.4 A detailed and current list of Our sub-processors, including the categories of Personal Data shared and the applicable data transfer mechanisms, is maintained separately and is available at https://trust.suprsend.com/subprocessors

4.1 If You are a data subject, Our legal basis for collecting and using the Personal Data described above will depend on the Personal Data concerned and the specific context in which We collect it.

4.2 There are six lawful bases for Processing Personal Data, and We ensure that all Personal Data We collect and Process falls under one or more of the following: 
(i) Your consent; 
(ii) performance of a contract with You or to take steps at Your request prior to entering into a contract; 
(iii) compliance with a legal obligation to which We are subject; 
(iv) protection of Your vital interests or those of another natural person;
(v) performance of a task carried out in the public interest or in the exercise of official authority; and 
(vi) Our legitimate interests or those of a third party, except where such interests are overridden by Your interests or fundamental rights and freedoms. 

Where We Process Personal Data in reliance on Your consent, You may withdraw Your consent at any time by contacting Us using the details in clause 12.

5.1 All international transfers of Personal Data from the European Economic Area (“EEA”), the United Kingdom, and Switzerland to the United States are carried out in reliance on our certification under the EU–U.S. Data Privacy Framework (“DPF”), including, where applicable, the UK Extension to the EU–U.S. DPF and the Swiss–U.S. Data Privacy Framework.

In accordance with the DPF Principles, we provide individuals with notice regarding the categories of Personal Data collected, the purposes for which it is processed, the types of third parties to which it is disclosed, and the rights and choices available to them.

5.2 SuprStack, Inc. complies with the EU–U.S. Data Privacy Framework (DPF), the UK Extension to the EU–U.S. DPF, and the Swiss–U.S. Data Privacy Framework, as set forth by the U.S. Department of Commerce.
‍
‍Declaration: SuprStack, Inc. has certified to the U.S. Department of Commerce that it adheres to the Data Privacy Framework Principles (“DPF Principles”) with regard to the processing of Personal Data transferred from the European Union, the United Kingdom (and Gibraltar), and Switzerland in reliance on the DPF.

If there is any conflict between the terms in this Privacy Policy and the DPF Principles, the DPF Principles shall govern.

You may verify our certification on the Data Privacy Framework List maintained by the U.S. Department of Commerce: https://www.dataprivacyframework.gov

‍This certification applies to all Personal Data received from the EEA, UK, and Switzerland in reliance on the DPF.

5.3 When we transfer Personal Data to jurisdictions not covered by the DPF, we rely on appropriate safeguards such as Standard Contractual Clauses or other legally recognised transfer mechanisms.

5.4  Notice, Choice, and Accountability under DPF
‍In accordance with the DPF Principles:
‍
‍(a) Right to Access
Individuals have the right to access Personal Data about them that we hold and to request correction, amendment, or deletion where it is inaccurate or processed in violation of the DPF Principles.

(b) Choice and Means to Limit Use and Disclosure
‍Individuals have the right to opt out of:
(i) the disclosure of their Personal Data to third parties not acting as agents on our behalf; and
(ii) the use of their Personal Data for purposes that are materially different from those for which it was originally collected or subsequently authorized.

We will obtain explicit consent (opt-in) before processing sensitive Personal Data or before disclosing such data to a third party or using it for a purpose other than that for which it was originally collected.

‍(c) Accountability for Onward Transfer
‍We remain responsible and liable under the DPF Principles if third-party agents that we engage to process Personal Data on our behalf do so in a manner inconsistent with the DPF Principles, unless we prove that we are not responsible for the event giving rise to the damage.

5.5 Additional DPF Commitments
‍(a) SuprStack, Inc. is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).
‍
(b) We may be required to disclose Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements, and such disclosures may be made without prior notice where required by law.
‍
(c) We maintain mechanisms for verifying our compliance with the DPF Principles, including internal self-assessments conducted on a periodic basis.

5.6 DPF Complaint and Dispute Resolution
‍5.6.1 In compliance with the DPF Principles, we commit to resolve complaints about our collection or use of Personal Data. Individuals from the EEA, UK, or Switzerland with inquiries or complaints should first contact us using the details provided in Clause 12.

5.6.2 If a complaint cannot be resolved through our internal processes, we have committed to refer unresolved complaints to VeraSafe, an independent dispute resolution provider based in the United States, which will provide appropriate recourse free of charge.

5.6.3 To file a complaint with VeraSafe, please visit:
‍https://www.verasafe.com/privacy-services/dispute-resolution/submit-dispute/

‍5.6.4 If your complaint is not resolved through these mechanisms, you may have the right to invoke binding arbitration under the DPF Principles.

6.1 We use appropriate technical and organizational measures to protect the Personal Data that We collect and Process. The measures We use are designed to provide a level of security appropriate to the risk of Processing Your Personal Data. If You have questions about the security of Your Personal Data, please contact Us using the contact details provided under clause 12.

6.2 In the event of a Personal Data breach affecting Your Personal Data, We will notify the relevant supervisory authority and, where required by applicable law, You of the breach without undue delay and in any event within the time frame prescribed under applicable data protection law (including, where applicable, within 72 hours of becoming aware of the breach, as required under Article 33 of the GDPR).

7.1 We retain Personal Data collected where an ongoing legitimate business need requires retention of such Personal Data.

7.2 We maintain a data-retention schedule organised by category of Personal Data. We perform periodic reviews of the Personal Data We hold and delete or anonymise data when it is no longer needed for its original purpose or as required by applicable law.

7.3 In the absence of a need to retain Personal Data under clause 7.1 above, We will either delete it or aggregate it, or, if this is not possible then We will securely store Your Personal Data and isolate it from any further processing until deletion is possible.

You may be entitled to the following rights under applicable data protection laws:
‍
‍8.1 Right to be Informed. You have the right to be informed about the collection and use of Your Personal Data, including the purposes of Processing, retention periods, and with whom Your data is shared. This Policy, together with any notices provided at the point of data collection, serves to fulfil this right.

‍8.2 Right of Access. You have the right to request access to and obtain a copy of Your Personal Data that We hold about You.
‍
‍8.3 Right to Rectification. You have the right to request correction of any inaccurate or incomplete Personal Data We hold about You.
‍
‍8.4 Right to Erasure. You have the right to request deletion of Your Personal Data where there is no compelling reason for its continued Processing (“right to be forgotten”).
‍
‍8.5 Right to Restriction of Processing. You have the right to request that We restrict the Processing of Your Personal Data in certain circumstances, for example where You contest the accuracy of the data or object to Our Processing.

8.6 Right to Data Portability. You have the right to receive Your Personal Data in a structured, commonly used, and machine-readable format and to transmit that data to another controller, where technically feasible.
‍
‍8.7 Right to Object. You have the right to object to the Processing of Your Personal Data where We are relying on legitimate interests as the legal basis, including direct marketing and profiling based on legitimate interests.
‍
‍8.8 Right Not to be Subject to Automated Decision-Making. Where applicable, You have the right not to be subject to a decision based solely on automated Processing, including profiling, which produces legal effects concerning You or similarly significantly affects You.
‍
‍8.9 Right to Withdraw Consent. Where We Process Your Personal Data based on Your consent, You have the right to withdraw that consent at any time. Withdrawing Your consent will not affect the lawfulness of any Processing We have conducted prior to Your withdrawal, nor will it affect Processing of Your Personal Data conducted in reliance on lawful Processing grounds other than consent.
‍
‍8.10 Right to Opt-Out of Marketing Communications. You have the right to opt-out of marketing communications We send You at any time. You can exercise this right by clicking on the “unsubscribe” or “Manage Preferences” link in the marketing e-mails We send You. To opt-out of other forms of marketing (such as postal marketing or telemarketing), please contact Us.
‍
‍8.11 Right to Lodge a Complaint. You have the right to lodge a complaint with Your local data protection supervisory authority about Our collection and use of Your Personal Data. For residents of the EEA, UK, or Switzerland, You may also refer to clause 13 for the contact details of Our appointed data protection representatives. For DPF-related complaints, please refer to clause 5.6.
‍
‍8.12 Response Timeframe. We will verify any requests before acting on them and will respond to all requests We receive from individuals wishing to exercise their data protection rights within 30 days, or as otherwise required by applicable law. If We require additional time to respond, We will inform You of the reason and the extension period.
‍
8.13 To exercise any of the rights set out above, please contact Us at the details provided in clause 12.

9.1 Cookies are text files that are placed on Your computer to collect standard internet log information and visitor behaviour information by Us. When You visit the Website(s), We may collect Personal Data automatically from You through cookies or similar technology. We also set cookies to collect information that is used either in aggregate form to help Us understand how Our Website(s) is being used or how effective Our marketing campaigns are, to help customise the Website(s) for You or to make advertising messages more relevant to You.
‍
‍9.2 Essential Cookies: We set essential cookies that enable core functionality such as security, network management, and accessibility. You may not opt-out of these cookies. However, You may disable these by changing Your browser settings, but this may affect how the Website(s) functions.
‍
‍9.3 Analytics, Customisation and Advertising Cookies: We set these cookies to help Us improve Our Website(s) by collecting and reporting information on how You use it. The cookies collect information in a way that does not directly identify anyone.
‍
9.4 When You visit the Website(s), a cookie banner will be displayed providing additional information about cookies and options to opt out of non-essential cookies as required by applicable laws.

We recognize the importance of children’s safety and privacy. We do not request, or knowingly collect, any Personal Data from children under the age of 18. If a parent or guardian becomes aware that his or her child has provided Us with Personal Data, they should write to Us at the email address provided in clause 12. Upon becoming aware that We have collected Personal Data from a child, We will take prompt steps to delete such data from Our systems.

11.1 SuprSend is intended for use by enterprises. Except for the Personal Data collected from You for the purposes mentioned under clause 2, this Policy is not applicable to Our Processing of any Personal Data transmitted by the Customer. We may receive Subscriber’s Personal Data as a part of the Service Data for which We will only act as a Processor and such Processing will be governed by the Terms. In such a case, the Subscriber’s data privacy questions and requests should be submitted to the Customer in its capacity as a Controller. We are not responsible for Customers’ privacy or security practices which may be different from this notice. Customers of SuprSend are solely responsible for establishing policies for and ensuring compliance with all applicable laws and regulations, as well as any and all privacy policies, agreements, or other obligations, relating to the collection of Personal Data in connection with the use of SuprSend by the Customer or the Users.
‍
11.2 When You log on to SuprSend using the online sign-on services, the social network platform may provide Us with access to certain information that You have provided them. The collection, use, and disclosure of Your Personal Data by these social networks shall be governed by the policies of such social networks and We shall have no liability or responsibility over their actions.
‍
11.3 Our Website(s) contain links to other Websites. Our Policy applies only to Our Website(s), so if You click on a link to another Website, You should read their privacy policy. We encourage You to review the privacy statements of any such other Websites to understand their Personal Data practices.

12.1 You may contact Us if You have any enquiries or feedback on Our data protection policies and procedures, or if You wish to make any request, in the following manner:
‍Kind Attention: SUPRSTACK INC
‍Email Address: support[at]suprsend[dot]com

In accordance with GDPR requirements, we have appointed representatives in the UK and EU for data protection matters. If you are located in Europe, you may contact our representatives directly regarding any inquiries related to your personal data or data protection rights.

‍UK Representative
Name: Rickert Services Ltd UK
‍Email: art-27-rep-suprstack@rickert-services.uk
‍Address: SuprStack, Inc. PO Box 1487 Peterborough, PE1 9XX, United Kingdom

‍EU Representative
Name: Rickert Rechtsanwaltsgesellschaft mbH
‍Email: art-27-rep-suprstack@rickert.law
‍Address: SuprStack, Inc. Colmantstraße 15, 53115 Bonn, Germany

Please come back and check for any updates to this Policy. If there are any material changes to this Policy We shall notify You or shall post a notice of the update on Our Website.