Last updated: July 4th, 2022
This Privacy Statement (the "Privacy Statement") is provided by:
Whereby AS ("Whereby"/"we")
Gate 1 no. 107, 6700 Måløy, Norway
Business organization number NO 997742346
This policy describes what information we collect when you use Whereby’s sites, services, mobile applications, products, and content (“Services”). It also provides information about how we store, transfer, use, and delete that information, and what choices you have with respect to the information.
This policy applies to Whereby’s online video meeting tool, including the website and mobile applications, and other Whereby websites (collectively “the Websites”), as well as other interaction (e.g. customer support conversations, user surveys and interviews etc.) you may have with Whereby.
This policy applies where we are acting as a Data Controller with respect to the personal data of users of our Services; in other words, where we determine the purposes and means of the processing of that personal data. For content and data that you upload to or make available through the Service (“User Content”), you are responsible for ensuring this content is in accordance with our Terms of Service, and that the content is not violating other users’ privacy.
How we collect, process and store information
We in Whereby are committed to safeguarding the privacy of our users. Our business model is to provide a paid service to users who need additional features on top of the Free version, and does not rely on widespread collection of general user data. We will only collect and process information that we need to deliver the service to you, and to continue to maintain and develop the service. If you are on a plan for professional use, we also collect public information about your company for our commercial purposes.
Whereby may collect, store and process various kinds of data, with different legal grounds, as listed below. For the categories of data that require your consent, we will actively ask you for consent before collecting any data. You can give and revoke your consents at any time in your Settings page.
The following is a list of data we collect, process or store, with the purpose and legal ground listed for each item or group of items having the same purpose and legal ground:
User account information. Users that choose to register in Whereby, will have to provide a valid email address or phone number. The user can also choose to enter a display name and/or add a profile picture that will be used to represent them in conversations. If you as a user choose to sign up with an external authentication service, e.g. Google Sign-In, we will fetch and store email address, name and profile image URL from this service.
Room information. To create a room in Whereby, you as a user will have to select a room name. This name will be publicly visible, and will be used by other users accessing meetings in that room. You as user are responsible for the content you enter into a room name, and the content has to be compliant with our guidelines for Prohibited Content in Terms of Services.
The information may be used for the purposes of operating our website, providing our services, ensuring the security of our website and services, maintaining back-ups of our databases and communicating with you. This is required to deliver the Service to you as user, by taking steps, at your request, to enter into and to fulfilling such a contract (Terms of Service) cf. GDPR art. 6 (1) item b.
Transaction information. Customers that choose to purchase a paid version of the Services provide Whereby (and our payment processors, including debt collectors) with billing details such as credit card information, billing email, banking information, location at the time of transaction and/or a billing address.
The transaction data may be processed for the purpose of supplying the purchased services and keeping proper records of those transactions. This data may be used for the purpose of delivering the Services to you. Processing this information is required for fulfilling the contract we entered into with you, at your request (our Terms of Service) cf. GDPR art. 6 (1) item b. Additionally, this information needs to be retained in order to comply with accounting and tax regulation cf. GDPR art. 6 (1) item c.
Usage information. When you as a user interact with the Services, we collect and process metadata to provide additional context about the way the Service is being used. The usage data may include your IP address, geographical location, browser type and version, operating system, referral source, length of visit, page views and website navigation paths, as well as information about the timing, frequency and pattern of your service use. The source of the usage data is our server software and our analytics tracking system. We may make specific offers or provide information to you based on your product usage, such as your use of certain product features or the use of the product across your company's email domain.
Product Analytics data. Whereby logs activities by you and other users when the users interact with our websites or apps, when a page or a room is visited or where there is a conversation. We will never collect or record the content in conversations.
Please note that access to the conversation metadata, such as the participants’ ID (random alphanumeric number generated by the system), display names (optional), device information, duration of the call and any issues faced during the conversation, without being able to access the video or audio content of the conversation, may be accessible to our embedded customer’s support team or adiministrators via admin dashboard
Technical log data. Like most digital services, our servers automatically collect information when Websites or Services are accessed or used and record it in log files. This log data may include the Internet Protocol (IP) address, the address of the web page visited within the Services, browser type and settings, the date and time the Services were used, information about browser configuration and plugins, language preferences and cookie data.
Device information. Whereby may collect and process information about devices used to access the Services, including type of device, what operating system is used, device settings, application IDs, unique device identifiers and crash data. Whether we collect and process some or all of this information depends on the type of device used and its settings.
Location information. We receive information from you and other third-parties that helps us approximate your location. We may, for example, use a business address submitted by your employer, or an IP address received from your browser or device to determine approximate location. Whereby may also collect location information from devices in accordance with the consent process provided by your device.
Customer Support Information. We may process information that you send to us, should you choose to submit a ticket to our support email. If you contact us, we may use your Account, Room, Transaction or Usage Information to respond.
Processing this information is required for performing the contract we entered into with you, at your request (our Terms of Service), as well as our legitimate interest of handling your requests cf. GDPR art. 6 (1) item f. Processing the information you submit and our responses to you are also necessary to help our customer support staff give each other feedback and learn, which constitutes our legitimate interest cf. GDPR art. 6 (1) item f.
Product & Marketing communication. We may process information that you provide to us in the context of signing up to our service, trial or a specific type of communication. We may ask our customers to complete reviews or to speak about their experiences using our products. If we may process more information than this, we will be transparent upfront. You can control what information we send to you by changing your Privacy settings. You also find a link to unsubscribe from our product and marketing e-mails at the bottom of each e-mail.
The legal basis for this processing is as a starting point our legitimate interest, cf. GDPR art. 6 (1) item f, in helping you put your new plan to use, sharing informational or exciting content, informing about product features, or giving you a good offer. If the processing requires your consent, cf. GDPR art 6 (1) item a, we will obtain it before we process your personal information.
Public professional information. If you are on a plan for professional use, we may also collect public information about your company. This may include information you make available through a public LinkedIn profile. We use this information to assess if we should contact your company. If you are an appropriate point of contact for your company we may seek additional public contact information through LinkedIn and Zoominfo. Both Zoominfo and LinkedIn allows you to know what data they have collected about you; you can find it here for Zoominfo and here for LinkedIn. Similar information may also be used for learning more about our job applicants where this is necessary to make decisions about their candidacy.
The legal basis for processing professional information for the purposes of initiating, maintaining or building a a contractual relationship is our legitimate interest, cf. GDPR art.6 (1) item f.
Service and transactional notifications. Sometimes we’ll send you emails about your account, service changes or new policies. You can’t opt out of this type of “service or transactional” emails (unless you delete your account) as they are necessary information for the Services.
The legal grounds for processing this information is that it is required for performing our commitment about communicating changes in plans and pricing to you in the contract we entered into with you, at your request (our Terms of Service) cf. GDPR art. 6 (1) item b, and our legitimate interest of communicating important information about your account to you, cf. GDPR art. 6 (1) item f.
Correspondence information. We may process information that you choose to share with us if you participate in a focus group, contest, activity or event, apply for a job, interact with our social media accounts or otherwise communicate with Whereby.
The correspondence data may be processed for the purposes of communicating with you and record-keeping. The legal basis for this processing is our legitimate interests cf. GDPR art. 6 (1) item f, namely the proper administration of our website and business and communications with users.
The information may be used for the purposes of operating our website and providing our services. This is required to deliver the Service to you as user, by taking steps, at your request, to enter into and to fulfilling such a contract (Terms of Service) cf. GDPR art. 6 (1) item b.
Research information We gather the data from and about the research subjects involved in the research we are conducting in relation to our product.
The legal basis for this processing is our legitimate interests cf. GDPR art. 6 (1) item f, namely the testing and improvement of our services.
Investor information We may process the data about our investors and potential investors visiting our data rooms.
The legal basis for this processing is our legitimate interests cf. GDPR art. 6 (1) item f, namely the management of our company and its finances.
Please note that, for some of our customers, we are the processor of the following and other data categories: Display Name, Email address, Admin user (yes / no), Organization affiliation (for personal user accounts associated with a Business account), Video rooms created, Room name, Profile picture, Background picture.
How we process media (audio/video)
Participants exchange media such as audio, video and screen sharing within meetings. We only process media to enable participants to use our Service; we do not process media for our own purposes.
The legal ground for processing media is to fulfill the contract (Terms of Service) cf. GDPR art. 6 (1) item b.
We will not store any meeting recordings or media sent between participants in a room, except on a strictly transient basis where this is a necessary part of the transmission. Customers who have access to the “Recording” feature will be able to record meetings, and they are then responsible for collecting consents from all participants in the meeting prior to starting the recording. They are also responsible for storing and processing the recording in compliance with regulations after downloading it from Whereby.
Rooms will by default be set to Group call mode. Group call mode is delivered over a dedicated server infrastructure to allow many people in conversation while ensuring good stability. Your stream will be sent through video router servers which transmits it to the other participants in the call, and also transmits their streams to you. Streams will always be encrypted (DTLS-SRTP) in transit, but will be decrypted and re-encrypted when passing through the video routers. We operate an infrastructure of video routers distributed across the world, and you will be automatically routed to the closest one. The video router servers and all of our infrastructure adhere to strict security measures, preventing any eavesdropping or interruption of the video/audio streams.
Users can also choose to use “Small meeting” mode in Room Settings if they wish to prioritise having end-to-end encryption over quality and stability. In “Small meeting” mode, communication between participants is primarily sent through peer-to-peer connections, where audio and video streams are sent directly between participants and do not pass through any of our servers. Video and audio transmitted in the Service is then sent directly between the participants in a room and is encrypted (DTLS-SRTP) with client-generated encryption keys. In cases where a user is behind a strict firewall or NAT, video and audio need to be relayed via a TURN server, but end-to-end encryption is still maintained.
Providing your personal data to others
We may share information with third parties in some circumstances, including: (1) with your consent; (2) to a service provider or partner who meets our data protection standards; (3) with academic or non-profit researchers, with aggregation, anonymization; (4) when we have a good faith belief it is required by law, such as pursuant to a subpoena or other legal process; (5) to protect the vital interest of others, when we have reason to believe that doing so will prevent harm to someone or illegal activities.
Our categories of service providers and partners are:
Payment processors, including debt collectors
Analysis tools providers
Customer Support tools providers
Marketing and email providers
Co-marketing content providers
Recruiting tools providers
Internal communication tools providers
Law enforcement and judiciary based on a lawful order based on the jurisdiction we are subject to, or to combat unlawful use of our platform.
We only share data with co-marketing content partners when you, at your own initiative, fill a form to obtain the content. We will make sure it is clear to you that we have developed the content with our partner and that the partner will also obtain relevant information.
We may disclose your personal data to any member of our group of companies (this means our subsidiaries, our ultimate holding company and all its subsidiaries) insofar as reasonably necessary for the purposes, and on the legal bases, set out in this policy.
International transfers of your personal data
In some circumstances your personal data may be transferred to countries outside the European Economic Area (EEA). You acknowledge that personal data that you submit for publication through our website or services may be available, via the internet, around the world. We cannot prevent the use (or misuse) of such personal data by others. For information about what types of content you as a user are responsible, see this Terms of Service.
We and our other group companies have offices and facilities in Norway, the United Kingdom and the United States. The hosting facilities for Account information stored by Whereby are situated in Ireland. The hosting facilities for Usage information are situated in Ireland and the United States. Transfers to the United States will be protected by appropriate safeguards, namely the use of Standard Contractual Clause (SCC) adopted or approved by the European Commission.
Please note that, for new data transfers, we will continue to rely on the old SCCs until September 27,2021. For existing transfer, we will continue to rely on SCCs until December 27, 2022, by which time all data transfers relying on the old SCCs will be moved over to the new SCCs adopted and approved by the European Commission.
Retaining and deleting personal data
Personal data that we process for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
We will retain your personal data as follows:
Transaction information will be retained for a minimum period of 5 years following date of the transaction, and for a maximum period of 10 years following the date of the transaction.
In some cases it is not possible for us to specify in advance the periods for which your personal data will be retained. In such cases, we will determine the period of retention based on the following criteria:
Account information, Room information will be retained until you decide to delete your account or delete a room in Whereby.
Information about you used for Product & Marketing communication will be retained until you opt-out or withdraw your opt-in. You can change permissions through Privacy Settings.
The period of retention of usage information will be determined based on the need for historical data to determine statistical validity and relevance for product decisions and technical monitoring.
Regardless of the provisions above, we may retain your personal data where such retention is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.
Whereby is only for people 16 years old and over. By using Whereby, you affirm that you are over 16. If we learn that someone under 16 is using Whereby, we’ll terminate their account. For use in educational settings or use of our Embedded product in your own service, contact us. We encourage parents with concerns to contact us at firstname.lastname@example.org.
Changes to this policy
We can change these Terms at any time. We keep a historical record of all changes to our Terms on GitHub. If a change is material, we’ll let you know before it takes effect. By using Whereby on or after that effective date, you agree to the new Terms. If you don’t agree to them, you should delete your account before they take effect, otherwise your use of the Service and Content will be subject to the new Terms.
Managing and deleting your personal information
If you have a Whereby account, you can access, modify or export your personal information, or delete your account in Settings. If you delete your account, your information and content will be unrecoverable after that time. You may instruct us at any time not to process your personal information for marketing purposes, by adjusting your Privacy settings). We may withhold personal information that you request to the extent permitted by law.
As an individual you are granted rights according to the applicable data protection law:
The right to access to your personal data
The right to rectification of your personal data
The right to object to and restriction of our processing of your personal data
The also right to be forgotten; erasure of your data.
The right to data portability.
If you have provided your consent to your processing of personal data, you may also withdraw your consent at any time, on our Settings > Consent page.
The rights are not absolute, and you may read more about your rights in the EU general data protection regulation Chapter III, or at https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens_en
To exercise your rights or if you otherwise have any questions regarding our processing of your personal data, we encourage you to contact us as described below. However, we also notify you that you may raise a complaint to a data protection authority. As a Norwegian company, Whereby uses the Norwegian Data Protection Authority (Datatilsynet) as a supervising authority. You may find further information on their website: https://www.datatilsynet.no/. You may contact your national/state supervisory authority, but Whereby will retain the Norwegian Data Protection Authority as our lead supervisory authority.