PRIVACY STATEMENT

This Privacy Statement is effective as of February 19, 2024

We love our users, and it's evident in everything we do. We chat with them daily to ensure we're creating something they truly enjoy. This commitment extends to the finer details, even the ones users might not notice, like legal policies, privacy statements, and other places the devil hides.

This Privacy Statement is important. This statement applies to our handling of information about site visitors, prospective customers, and customers (collectively, you). We outline our practices for collecting, using, sharing, and processing your personal data, and the choices and rights you have.

More important: Our privacy framework This privacy statement is just the tip of the “iceberg,” meaning just the most visible part of our framework of policies, processes, and internal controls for privacy and data security that we've carefully thought through from bottom to top. These are made and followed in a culture and with a leadership that emphasizes privacy, respect, accountability, and excellence.

Most important: Built-On-Privacy Privacy and respect for our users are literally built into our DNA. What do we mean? Everyone talks about privacy policies and how difficult they are to read, and on and on. That's true, and by anchoring the public debate, the very idea of these “policies” successfully serves its first purpose: misdirection. There is a context to every privacy policy, a bigger picture, that's most important. Here's the real bottom line you need to know about us before you dive into the details.

What “Built-On-Privacy” means:

  1. We do not make money from personal data. Our business model is not based on targeted advertising, platform network effects, or selling personal data, directly or indirectly. We aren't a business built on an inherent conflict of interest - this is what it means to have privacy in our DNA.
  2. Our sole purpose for using personal data is to provide and improve products and services for our users. The details are below, where we clearly disclose the specific purposes and features data is used for.
  3. We collect only the minimum amount of personal data necessary. We clearly disclose what personal data we collect, and only collect the minimum data necessary. Sometimes called “privacy-by-design.” Consider that privacy policies, in an essential sense, are unearned demands by companies for your trust: that they will keep their word, that they will keep the data safe. Our view: what we don't have, we can't misuse, we can't be hacked for.
  4. We are a stable, profitable company with no outside funding and no VC or investor interference or pressure. We mean it when we say we only want to create things people love. You know who our founder and CEO is. No one else has a say.

Our commitment to excellence and your satisfaction in everything we do is unwavering. This is an ongoing process, as we continually strive to push the envelope. Your feedback is invaluable to us—help us improve by sharing your thoughts. As always, you're welcome to email our founder directly.

WE DO NOT COLLECT SENSITIVE PERSONAL DATA.

If you are a California resident, please click here to see our California Notice at Collection, which includes additional disclosures as required by California law.

Margin notes are for informational purposes only. They are not legally binding and do not alter these terms. In case of any conflict, these Terms of Service shall prevail. They are not a substitute for legal advice.

WHAT DATA DO WE GATHER ABOUT YOU?

This section describes the various types of information that we collect and how we use it. “Personal data” means data or information that identifies, relates to, or describes you, or is reasonably capable of being associated with or could reasonably be linked to you. Under federal and state law, personal data does not include information made available from federal, state, or local government records.

  1. Data You Voluntarily Give Us

    This information includes account information, interactions on webpages, notes or transcripts of your conversations with us for support purposes, information to improve our business operations, and more.

    1. For Your Account. When you sign up, we collect your name, your email address, and country. We may also store your details from business contact information that you provide to us, or that we collect from your organization or our service providers.
    2. For Billing. To process payments, we collect and use your payment information. This can include your name, your address, your telephone number, your email address, your credit or debit card information, and other relevant information. Note that our payment processing vendors collect your credit or debit card information, and this information is not passed back to us.
    3. Correspondence. When you email us with a question or to ask for help, or interact with a help chatbot, we keep the correspondence, including your email address, or transcript of chat history, so that we have a history of past correspondence to reference if you reach out in the future.
    4. Feedback. If you provide feedback to us, we keep notes and records relating to your feedback. We also retain any other information you voluntarily provide, such as written survey responses. If you consent to a customer interview, we may request your permission to record the conversation for internal reference or training purposes. We will only do so if you expressly approve.
    5. Your responses to surveys that we might ask you to complete for research purposes.
    6. Details of transactions you carry out through our Website and of the fulfillment of your orders. You may be required to provide financial information before placing an order through our Website.
    7. Your search queries on the Website.

    A Note about Sensitive Personal Data. We aim to avoid collecting sensitive personal details about you. This includes government-issued IDs (e.g. driver's license, passport, or social security number), racial or ethnic background, political views, religious beliefs, health information, biometric or genetic traits, trade union membership, sexuality (including details about sex life or sexual orientation), and criminal history. However, please note that certain laws consider account access information, like a username and password, as sensitive personal data.

  2. Data Collected Automatically
    1. Website Interactions. As you navigate through and interact with our website, we may use automatic data collection technologies to collect certain information about your equipment, browsing actions, and patterns, including: details of your visits to our website, including traffic data, location data, logs, and other communication data and the resources that you access and use on the website, and information about your computer and internet connection, including your IP address, operating system, and browser type. If you interact on our website, we will track your activities online, but we do not know who you are. However, if you submit a form with your contact information, we will engage with you as requested and may follow up with you to further build a relationship.
    2. The technologies we use for this automatic data collection may include:

      • Cookies (or browser cookies). A cookie is a small file placed on the hard drive of your computer. You may refuse to accept browser cookies by activating the appropriate setting on your browser. However, if you select this setting, you may be unable to access certain parts of our website.
      • Web Beacons. Pages of our Website (and our emails) may contain small electronic files known as web beacons (also referred to as clear gifs, pixel tags, and single-pixel gifs) that permit us, for example, to count users who have visited those pages or opened an email and for other related website statistics (for example, recording the popularity of certain website content and verifying system and server integrity). These may interact with technology from our third-party service providers.

      California Do Not Track Disclosure. Some browsers include a “Do Not Track” (DNT) setting that can send a signal to the websites you visit indicating you do not wish to be tracked. However, since there is no consensus on how browsers are to interpret the DNT signal, our Website does not respond to browser DNT signals.

    3. Geolocation Information. We log the full IP address used to sign up an account and retain that for purposes of mitigating future spammy signups. We also log all account access by full IP address for security and fraud prevention purposes, and we keep this login data for as long as your account is active.
    4. Malicious Activities. We may use specialized tooling and other technical means to collect information at access points to, and in, IT systems and networks to detect unauthorized access, viruses, and indications of malicious activities. The information we collect may be used to conduct investigations when unauthorized access, malware or malicious activities are suspected.
    5. Personal Contacts. We never scan your device for contacts or upload them.
  3. Data We Create or Generate
    1. Aggregated and de-identified data. We may aggregate and/or de-identify information collected through the services, so that it no longer identifies you under applicable laws. We may use de-identified or aggregated data for any purpose, including marketing or analytics.
    2. Artificial Intelligence. We may infer new information from data we collect, including using automated means such as artificial intelligence, which may include use of third party artificial intelligence or machine learning services, to generate information about your likely preferences or other characteristics.
  4. Data Collected From Other Sources
  5. U.S. Government Databases. Shipment records like bills of lading that we compile, enrich, organize and present may sometimes include personal information, like names and addresses (“Publicly Filed Personal Information“ or “PFPI”). These public records are made available by the federal government, including from the Customs and Border Patrol (CBP), and ultimately, the National Archives (with bills of lading going back over 200 years).

    Under federal and state law, and as commonly known in the shipping industry, Publicly Filed Personal Information is not personal data. To be clear, we are under no legal obligations to remove PFPI. That said, we do not knowingly index, not tag, structure, format, identify, or make PFPI accessible as such at any point during our intake process or later in connection with the Services. Further, in practice, we aggressively implement and continue to fine-tune algorithms to detect PFPI in our databases in order to delete or redact such information.

    If you are someone with PFPI, it is easy to ask the CBP to make this information confidential, often within 24 hours. Please see our Publicly-Filed Personal Information Notice.

WHAT DO WE DO WITH DATA ABOUT YOU?
  1. Services. We use your data to help you use our services, such as:

    • To present our Website and its contents to you
    • Making our services available
    • Arranging access to your account
    • Providing customer service
    • Responding to your inquiries, requests, suggestions or complaints
    • Completing your payments and transactions
    • Sending service-related messages
    • Saving your searches and notes
    • Sending optional surveys to help improve our services
    • With your consent, sending newsletters and other updates
  2. Personalization and Marketing. We use your data to communicate with you about relevant features and services. We also use this information to personalize your online experience with our content and to develop internal marketing and business intelligence.
  3. Improving Business Operations. We may use your data to improve our business operations, systems, and processes. For example, information may be used to audit and optimize our operations, or for product development.
  4. Support Services. We may use your data to help you troubleshoot a software bug. When you contact us to request support, we collect your contact information, problem description, and possible resolutions. We may record the information that you provide during a support incident for quality assurance purposes.
  5. Security. We may collect and use data to protect you and us from IT security threats and to secure the information that we hold from unauthorized access.
  6. Restricted Uses. Accessing a customer's account when investigating potential abuse is a measure of last resort. We want to protect the privacy and safety of both our customers and the people reporting issues to us, and we do our best to balance those responsibilities throughout the process. If we discover you are using our products for a restricted purpose, we will take action as necessary, including notifying appropriate authorities where warranted.
  7. To fulfill any other purpose for which you provide it.
  8. To notify you about changes to our Website or any products or services we offer or provide through it.
  9. In any other way, we may describe when you provide the information.
  10. For any other purpose with your consent.

WHO DO WE SHARE WITH OR DISCLOSE DATA TO?

We won't share your information unless it's needed for our business or we're required to do so by law. We may disclose aggregated or anonymized information about our users, and information that does not identify any individual without restriction, We may disclose personal information that we collect, or you provide as described in this privacy policy:

  1. Service Providers. We work with service providers to carry out certain tasks, including:

    • Providing you the services
    • Processing your payments
    • Fulfilling your orders
    • Maintaining technology and related infrastructure
    • Offering you customer service
    • Distributing emails
    • List processing and analytics
    • Managing and analyzing research
  2. We use well-known service providers that implement rigorous technical and organizational measures, including with at least SOC 2 attestation and often additional qualifications like ISO 27018 certification (information below current as of the date of this statement). All have executed Data Processing Agreements (DPAs) unless otherwise noted.

    • Rudderstack: SOC 2 Type 2, ISO 27001 and 27018, GDPR compliance: Open-source Customer Data Platform (CDP) that integrates with over 150 analytics, marketing, and data storage tools and data warehouses, enabling businesses to collect, unify, and activate their customer data across various platforms. Our mutual data processing agreement (DPA) with Rudderstack is here. See their privacy policy.
    • Hubspot: SOC 2 Type 2, SOC 3, GDPR compliance: Cloud-based CRM platform that includes marketing, sales, customer service, and content management solutions to help businesses grow better. Our mutual data processing agreement (DPA) with Customer.io is here. See their privacy policy.
    • Customer.io: SOC 2 Type 2, HIPAA, GDPR: Marketing automation platform that enables businesses to send targeted emails, push notifications, and SMS messages based on customer behavior and data. Our mutual data processing agreement (DPA) with Customer.io is here. See their privacy policy.
    • Google Analytics: SOC 2 Type 2, SOC 3, ISO 27001/18: Web analytics service offered by Google that tracks and reports website traffic, providing insights into user behavior and website performance. Our mutual data processing agreement (DPA) with Google Analytics is here. See their privacy policy.
    • Mixpanel: SOC 2 Type 2, ISO 27701, GDPR-compliant: Analytics for mobile and web, allowing businesses to analyze user interactions with applications through event tracking and tailored reports. Our mutual data processing agreement (DPA) with Mixpanel is here. See their privacy policy.
    • Amazon Web Services (AWS): ISO Certified, GDPR compliance: Comprehensive and widely adopted cloud platform that offers over 200 key essential for online services from data centers globally, supporting a variety of workloads and applications. Our mutual data processing agreement (DPA) with AWS is here. See their privacy policy.
    • Google Cloud Platform (GCP): SOC 2 Type 2, GDPR compliance: Suite of cloud computing services that runs on the same infrastructure that Google uses internally for its end-user products, such as Google Search, Gmail, and YouTube. Our mutual data processing agreement (DPA) with GCP is here. See their privacy policy.
    • ChargeBee: SOC 2 Type 2: Subscription billing and revenue management platform that simplifies the back-end complexities of managing subscription business models. Our mutual data processing agreement (DPA) with ChargeBee is here. See their privacy policy.
    • Stripe: SOC 2 Type 2: Economic infrastructure for the internet, providing payment processing software and APIs for e-commerce websites and mobile applications. Our mutual data processing agreement (DPA) with Stripe is here. See their privacy policy.
    • New Relic: SOC 2 Type 2: Application Performance Monitoring. It helps us understand how fast ImportYeti and catch errors. Our mutual data processing agreement (DPA) with New Relic is here. See their privacy policy.
    • Front: SOC 2 Type 2: Our eMail inbox managment platform that allows us to create stellar customer service. Our mutual data processing agreement (DPA) with Front is here. See their privacy policy.
    • Zoom: SOC 2 Type 2: Awesome video calls. Our mutual data processing agreement (DPA) with Zoom is here. See their privacy policy.
    • Cloudflare: SOC 2 Type 2: Provides stellar cybersecurity features and improves ImportYeti's site speed. Our mutual data processing agreement (DPA) with Cloudflare is here. See their privacy policy.
    • Quickbooks: SOC 2 Type 2: Our accounting platform. Our mutual data processing agreement (DPA) with Quickbooks is here. See their privacy policy.
    • PayPal: SOC 2 Type 2: Easy online money transfers especailly for people outside the United States. Our mutual data processing agreement (DPA) with Paypal is here. See their privacy policy.
    • Slack: SCOC 2 Type 2: Provides our internal team the ability to communicate efficiently. Our mutual data processing agreement (DPA) with Slack is here. See their privacy policy.
    • Ringover: Handles ImportYeti's phone traffic. Our mutual data processing agreement (DPA) with Ringover is here. See theirprivacy policy.
  3. Internal Usage. Our internal access to personal data is restricted and granted only on a need-to-know basis. Sharing of this information is subject to the appropriate intracompany arrangements, our policies, and security standards.

  4. Governmental Requests. We don't respond to government requests for user data unless we are compelled by legal process or in limited circumstances in the event of an emergency request. Our policy is to notify affected users before we disclose data unless we are legally prohibited from doing so, and except in some emergency cases.

  5. Tax Audits. If we are audited by a tax authority, we may be required to disclose billing-related information. If that happens, we will disclose only the minimum needed, such as billing addresses and tax exemption information.

  6. Acquisition. If we are acquired by or merges with another company — we don't plan on that, we have deliberately avoided outside financing to ensure our autonomy, but if it happens — or in connection with a liquidation, bankruptcy or similar proceeding, we will notify you well before any of your personal data is transferred or becomes subject to a different privacy policy. Some information may be disclosed to potential purchasers.

WHAT ARE YOUR RIGHTS AND CHOICES?

In many jurisdictions, you have certain rights and choices when it comes to the handling of your personal data. At ImportYeti, we strive to apply the same data rights to all users, regardless of their location.

  1. ImportYeti Bill of Privacy Rights. We honor requests from all of our users, regardless of their location, to exercise the same rights that our California users have in accordance with our California Supplemental Privacy Statement. These include the exercise of the following choices (our “Bill of Rights”):

    • Access to the personal data that we have on you, or have it updated or corrected.
    • Obtain your personal data in a usable format, for transmittal to another party (a/k/a the right to data portability).
    • Request to delete the personal data we hold about you.
    • Opt-out of or restrict certain specific personal data processing types.
  2. Exercising Your Choices and Rights. To exercise any of these choices, or any of your rights under applicable law, please reach us at [email protected]. Please be specific in your request. For example, let us know exactly what needs updating, if you want your information removed, or how you'd like us to handle your personal data. Please email us from the account associated with your personal data, since we only handle requests linked to an email we have on file. We will send a confirmation to this email, and in some instances, additional details may be required to confirm your identity. We'll respond to your request in a manner consistent with applicable law, including any exceptions that may result in a request being denied in whole or in part.

  3. State Consumer & Privacy Laws. State consumer & privacy laws may provide their residents with additional rights regarding use of their personal information. California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, and Virginia generally provide their state residents with rights to:

    • Confirm whether we process their personal information.
    • Access and delete certain personal information.
    • Correct inaccuracies in their personal information (excluding Iowa and Utah).
    • Data portability.
    • Opt-out of personal data processing for: (a) targeted advertising (excluding Iowa), (b) sales, and (c) profiling in furtherance of decisions with legal effects (excluding Iowa and Utah).

    As described in more detail below, California residents have the right to instruct us to not “sell” or “share” their personal data. (Again: not applicable, as we don't sell your personal data.) Residents of Colorado, Connecticut, Virginia and Utah have the right to opt out of “targeted advertising” and “sales” (as defined under applicable law). (Again: not applicable, we don't sell targeted ads, we don't sell personal data).

    The exact scope of these rights may vary by state. To learn more about California residents' privacy rights, visit our California Supplemental Privacy Statement.

    Residents of the European Union and the United Kingdom generally also enjoy these and other rights, for example, the right to withdraw consent for future processing.

    In certain jurisdictions, it's possible to designate an authorized agent to act on your behalf. In this case, furnish the designated agent with written permission, signed by you, authorizing them to submit the request in your name. Ensure that the agent includes this written consent when making the request. We may reach out to you for identity verification, including confirmation of the agent's permission, before responding to the request.

    Not intended as legal advice.Details concerning privacy rights are offered solely for general informational purposes. We have tried to be accurate as of the statement date, but all information is provided “as is.” For questions about your specific legal rights, please consult your own personal attorney.

HOW DO YOU PROTECT OUR DATA?

We make reasonable efforts to provide a level of security appropriate to the risk associated with the processing of your personal data. We maintain organizational, technical and administrative measures designed to protect personal data against unauthorized access, destruction, loss, alteration or misuse.

These measures include role-based access controls and encryption to keep personal data private while in transit. All data is encrypted via SSL/TLS when transmitted from our servers to your browser. The database backups are also encrypted. All information you provide to us is stored on our secure servers behind firewalls. Any payment transactions will be encrypted using SSL technology.

The safety and security of your information also depends on you. Where we have given you (or where you have chosen) a password for access to certain parts of our Website, you are responsible for keeping this password confidential. We ask you not to share your password with anyone.

Unfortunately, the transmission of information via the internet is not completely secure. Although we do our best to protect your personal data, we cannot guarantee the security of your personal data transmitted to our Website. Any transmission of personal data is at your own risk.

HOW LONG DO YOU STORE OUR DATA?

We only retain personal data as long as necessary to fulfill the purposes for which it is processed, or to comply with legal and regulatory retention requirements. Legal and regulatory retention requirements may include retaining information for:

  • audit and accounting purposes,
  • statutory retention terms,
  • the handling of disputes,
  • and the establishment, exercise, or defense of legal claims in the countries where we do business.

We retain any contractual relationship information for administrative purposes, legal and regulatory retention requirements, defending ImportYeti rights, and to manage our relationship with you.

When personal data is no longer needed, we have processes in place to securely delete it, for example by erasing electronic files and shredding physical records.

TRANSFER OF PERSONAL DATA INTO THE UNITED STATES

Location of Services

The ImportYeti services are housed in the United States.

If you are located outside of the United States, please be aware that any information you provide to us will be transferred to and stored in the United States. By using our websites or services and/or providing us with your personal data, you consent to this transfer.

Transfer from the European Union & United Kingdom

The European Data Protection Board (EDPB) has issued guidance stating that personal data transferred out of the EU must receive an equivalent level of protection as granted under EU privacy law. UK legislation also offers similar safeguards for UK user data when transferred outside the UK.

To adhere to these requirements, ImportYeti has implemented a Data Processing Addendum that incorporates Standard Contractual Clauses, which can be accessed here

Additionally, there are sporadic instances where EU personal data may be transmitted to the U.S. in the course of ImportYeti's operations. For instance, this may occur when an EU user subscribes to our newsletter, participates in surveys, or makes purchases from our online store. These transfers are infrequent, and data is shared under the Article 49(1)(b) derogation as specified in GDPR and its UK counterpart.

Controller

The privacy laws in some countries consider a Controller to be the legal entity (or natural person) who defines the purposes for which the processing of personal data takes place and how that information is processed. Parties that are involved in processing operations on behalf of a Controller may be designated as Processors. Designations and associated obligations differ, depending on the jurisdiction.

Where this is relevant for the privacy laws in your country, the Controller of your personal data is ImportYeti, LLC. Our contact details are: 22 Mauchly, Irvine CA 92618

CHANGES AND QUESTIONS

We may update this policy as needed to comply with relevant regulations and reflect any new practices. If we make significant changes, we will refresh the date at the top of this page and notify users who have signed up to our policy updates mailing list.

Contact Information

If you have any questions, concerns, or requests regarding your personal data, this Privacy Policy, or our data practices, please do not hesitate to contact us. You may reach our Privacy Team at the following contact information:

Company Name: ImportYeti, LLC

Email Address: [email protected]

Physical Address: 24383 Marquis Court, Laguna Hills, CA 92653

We are committed to addressing your inquiries promptly and in accordance with applicable data protection laws. Your privacy is important to us, and we appreciate your trust in our handling of your information.