(i) CustomerData: personal data that we collect, process and manage on behalf of ourbusiness customers (“Customers”), submitted to the monday.comcloud-based services, including our platforms, products, applications,application programming interface (“API”), tools, and any ancillary orsupplementary monday.com products and services (including Upgrades (as definedin the Termsof Service)), offered online and via a mobile application(collectively, “Platform”).
We process such CustomerData on behalf and under the instruction of the respective Customer in ourcapacity as a “data processor”, in accordance with our DataProcessing Addendum with them. For more information, pleaserefer to Section 9 below.
(ii) User Data:personal data concerning our Customers’ internal focal persons who directlyengage with monday.com concerning their monday.com account (e.g. billingcontacts and authorized signatories), Customers’ Account Admins, and authorizedusers of the Platform (collectively, “Users”);
(iii) ProspectData: data relating to visitors of our websites (including but not limitedto www.monday.com),participants at events, and any other prospective customer, user or partner(collectively, “Prospects”) who visit or otherwise interact with ourprograms, marketing and social activities and our websites, digital ads andcontent, emails, integrations or communications under our control (“Sites”).
(iv) TechnologyPartner Data: data relating to individuals participating and/or engaging asa participant, candidate, applicant or any other prospective or existingtechnology partners (including as developer or technology ambassadors)(collectively, “Technology Partner”) who interact with our Platform,Sites, events and/or other platforms utilized by monday.com.
1. Data Collection & Processing
2. Data Uses & Legal Bases
3. Data Location and Retention
4. Data Disclosures
5. Cookies and Tracking Technologies
7. Data Security
8. Data Subject Rights
9. Data Controller/Processor
10. Additional Notices
You are not legallyrequired to provide us with any of your personal data, and may do so (or avoiddoing so) at your own free will. If you do not wish to provide us with yourpersonal data, or to have it processed by us or any of our services providers, pleasesimply do not visit or interact with our Sites, nor use our Services.
You may also choose notto provide us with “optional” personal data (i.e. “not required” fields onforms), but please keep in mind that without it we may not be able to provideyou with the full range of our Services or with the best user experience whenusing our Services.
1. Data Collection &Processing
We collect or generatethe following categories of personal data in relation to the Services:
· Usage and device information concerning our Users,Prospects and Technology Partners:
· Connectivity, technical and usage data, such as IPaddresses and approximate general locations derived from such IP addresses,device and application data (like type, operating system, mobile device or appid, browser version, location and language settings used), activity logs, therelevant cookies and pixels installed or utilized on your device, and therecorded activity (sessions, clicks, use of features, logged activities andother interactions) of Prospects, Users and Technology Partners in connection withour Services.
· We collect and generate this information automatically,including through the use of analytics tools (including cookies and pixels) –which collect data such as: how often Prospects or Technology Partners visit oruse the Sites, which pages they visit and when, which website, ad or emailmessage brought them there, and how Users interact with and use the Platformand its various features.
· Contact and profile information concerning ourCustomers, Users, Prospects and Technology Partners:
· Name, email, phone number, position, workplace, profilepicture, login credentials, contractual and billing details, and any otherinformation submitted by Account Admins and Users or otherwise available to uswhen they sign up or log in to the Platform (either directly or through theirsocial media or organizational Single-Sign-On account), when creating theirindividual profile (“User Profile”), or by updating their account.
· We collect this information directly from you, or fromother sources and third parties such as our Customer (your employer), Users andcolleagues related to your organizational monday.com account, organizers ofevents or promotions that both you and us were involved in, and through the useof tools and channels commonly used for connecting between companies andindividual professionals in order to explore potential business and employmentopportunities, such as LinkedIn, ZoomInfo, Clearbit, Cognism and Lusha.
· Communications with our Customers, Users, Prospects andTechnology Partners:
· Personal data contained in any forms and inquiries thatyou may submit to us, including support requests, interactions through socialmedia channels and instant messaging apps, registrations to events that wehost, organize or sponsor, and participation in our online and offlinecommunities and activities); surveys, feedback and testimonials received;expressed, presumed or identified needs, preferences, attributes and insightsrelevant to our potential or existing engagement; and sensory information includingphone call and video conference recordings (e.g., with our customer experienceor product consultants), as well as written correspondences, screen recordings,screenshots, documentation and related information that may be automaticallyrecorded, tracked, transcribed and analyzed, for purposes including analytics,quality control and improvements, training, and record-keeping purposes.
For the purposes of theCalifornia Consumer Privacy Act (“CCPA”), specifically in the lasttwelve (12) months, we have collected the following categories of PersonalInformation: Identifiers; Professional or Employment-Related Information;Internet or other Electronic Network Activity Information; Customer Records Information;and Geolocation Information. We do not use or disclose sensitive personalinformation as defined in the CCPA.
2. Data Uses & LegalBases
We use personal data asnecessary for the performance of our Services (“Performance of Contract”);to comply with our legal and contractual obligations (“Legal Obligations”);and to support our legitimate interests in maintaining and improving ourServices, e.g. in understanding how our Services are used and how our campaignsare performing, and gaining insights which help us dedicate our resources andefforts more efficiently; in marketing, advertising and selling our Services toyou and others; providing customer services and technical support; andprotecting and securing our Users, Customers, Prospects and TechnologyPartners, ourselves and our Services (“Legitimate Interests”).
Specifically, we usepersonal data for the following purposes (and in reliance on the legal basesfor processing noted next to them, as appropriate):
Customer and Userpersonal data
· To facilitate, operate, enhance, secure and provide ourServices; (Performance of Contract; Legitimate Interests)
· To invoice and process payments (Performance ofContract; Legitimate Interests); and
· To personalize our Services, including by recognizingan individual and remembering their information when they return to ourServices, and to provide further localization and personalizationcapabilities (Performance of Contract; Legitimate Interests).
Customer, User, Prospectand Technology Partner personal data
· To provide our Prospects, Users, Technology Partnersand Customers with assistance and support, to test and monitor the Services,diagnose or fix technical issues, and to train our Customers’ andCustomer-facing staff (Performance of Contract; Legitimate Interests);
· To gain a better understanding of how Users, Prospectsand Technology Partners evaluate, use, and interact with our Services, toutilize such information to continuously improve our Services, the overallperformance, user-experience and value generated therefrom. We collect suchinformation automatically through their usage of the Services, includingthrough User’s utilization of artificial intelligence capabilities in thePlatform (Legitimate Interests);
· To create aggregated, statistical data, inferrednon-personal data or anonymized or pseudonymized data (rendered non-personal),which we or others may use to provide and improve our respective Services, orfor any other business purpose such as business intelligence (LegitimateInterests);
· To facilitate and optimize our marketing campaigns, admanagement and sales operations, and to manage and deliver advertisements forour Services more effectively, including on other websites and applications.Such activities allow us to highlight the benefits of using our Services, andthereby to increase your engagement and overall satisfaction with our Services.This includes contextual, behavioral and interests-based advertising based onUser, Prospect and Technology Partner activities, preferences or other dataavailable to us or to our Services Providers (as defined below), and businesspartners (Legitimate Interests; Consent);
· To contact our Customers, Users, Prospects andTechnology Partners with general or personalized Services-related messages, aswell as promotional messages that may be of specific interest to them (Performanceof Contract; Legitimate Interests; Consent);
· To support and enhance our data security measures,including for the purposes of preventing and mitigating the risks of fraud,error or any illegal or prohibited activity (Performance of Contact;Legitimate Interests; Legal Obligation);
· To explore and pursue growth opportunities byfacilitating a stronger local presence and tailored experiences, includingthrough partnerships with local distributors, resellers, business partners andproviders of professional services related to our Services (“Partners”,as further described in Section 4 below) (Legitimate Interests);
· To facilitate, sponsor and offer certain events,webinars, contests and promotions (Legitimate Interests);
· To publish your feedback and submissions to our Sites,public forums and blogs (Performance of Contract; Legitimate Interests);
· To comply with our contractual and legal obligationsand requirements, and maintain our compliance with applicable laws, regulationsand standards (Performance of Contract; Legitimate Interests; LegalObligation); and
· For any other lawful purpose, or other purpose that youconsent to in connection with provisioning our Services. (LegalObligation; Consent).
With respect to personaldata we obtain from Google OAuth API Scopes, used in our integration withcertain Google Services (“Integrated Google Services”), our use of suchpersonal data and data aggregated, anonymized, or derived therefrom (“Restrictedpersonal data”), is limited to the following purposes, in adherence withthe Limited Use requirements as detailed in Google API Services Data Policy (versionof September 3, 2020):
· Facilitating, operating, supporting, providing andimproving user-facing features that are prominent in the Integrated GoogleServices (Performance of Contract; Legitimate Interests);
· Troubleshooting or security purposes (such asinvestigating a bug or abuse), subject to the Users’ prior consent, insofaraccess to Restricted personal data is required to resolve a support issue (Performanceof Contract; Legitimate Interests);
· Compliance with applicable law and regulations (LegalObligation);
· For our internal operations, provided that theRestricted personal data (including derivations thereof) have been aggregatedand anonymized (Legitimate Interests);
· Otherwise in strict accordance with your affirmativeagreement.
3. Data Location &Retention
Data Location: We and our authorizedService Providers (defined below) maintain, store and process personal data inthe United States (US), Europe, Israel, Australia, Guatemala, the Philippines,Brazil, Japan, Singapore, the United Kingdom (UK), and other locations asreasonably necessary for the proper performance and delivery of our Services,or as may be required by applicable law.
monday.com Ltd. isheadquartered in Israel, a jurisdiction which is considered by the EuropeanCommission, the UK Secretary of State, and the Swiss Federal Data Protectionand Information Commissioner (FDPIC), to be offering an adequate level ofprotection for personal data of individuals residing in EU Member States, theUK and Switzerland, respectively. We transfer data from the European EconomicArea (EEA), the UK and Switzerland to Israel on this basis.
monday.com Inc., our USsubsidiary, complies with the EU-US Data Privacy Framework (EU-US DPF), the UKExtension to the EU-US DPF, and the Swiss-US Data Privacy Framework as setforth by the US Department of Commerce, and where appropriate – primarily relieson such certification for accepting transfers of data from the EEA, UK andSwitzerland to the US (as applicable).
For data transfers fromthe EEA, the UK and Switzerland to countries which are not considered to beoffering an adequate level of data protection, we and the relevant dataexporters and importers have entered into Standard Contractual Clauses asapproved by the European Commission, the UK Information Commissioner’s Office(ICO), and the Swiss FDPIC, as applicable. You can obtain a copy by contactingus as indicated in Section 10 below.
Please note that wheremonday.com processes personal data on behalf of a Customer, such personal data(included in their Customer Data) may only be processed in accordance with, andin the locations as agreed in our Data Processing Addendum and othercommercial agreements with such Customer (as further described in Section 9below).
Complaints abouttransfers of data from the EU, UK or Switzerland to the US & disputeresolution: In compliance with theDPF Principles, we commit to resolve complaints about our collection or use ofyour personal data. EEA, UK and Swiss individuals with inquiries or complaintsregarding our DPF compliance should submit enquiries to firstname.lastname@example.org.
If a privacy complaintor dispute relating to personal data received by us in reliance on the DPFcannot be resolved through our internal processes, you did not receive a timelyacknowledgement of your EU-US DPF-Principles related complaint from us, or wedid not address your EU-US DPF Principles related complaint to yoursatisfaction, we have also agreed to participate in the VeraSafe Data PrivacyFramework Dispute Resolution Procedure. Subject to the terms of the VeraSafeData Privacy Framework Dispute Resolution Procedure, VeraSafe will provideappropriate recourse free of charge to you. To file a complaint with VeraSafeand participate in the VeraSafe Data Privacy Framework Dispute ResolutionProcedure, please submit the required information here: https://www.verasafe.com/privacy-services/dispute-resolution/submit-dispute/.
Furthermore, subject tocertain conditions (as described under the EU-US DPF Principles that monday.comInc. adheres to), you may invoke binding arbitration by delivering a notice tous via email@example.com Inc. is also subject to the investigatory and enforcement powers ofthe Federal Trade Commission.
Data Retention: We may retain yourpersonal data for as long as it is reasonably needed to maintain and expand ourrelationship and provide you with our Services and offerings; in order tocomply with our legal and contractual obligations; or to protect ourselves fromany potential disputes (e.g. as required by laws applicable to log-keeping,records and bookkeeping, and in order to have proof and evidence concerning ourrelationship, should any legal issues arise following your discontinuance ofuse), all in accordance with our data retention policy and at our reasonablediscretion. To determine the appropriate retention period for personal data, weconsider the amount, nature, and sensitivity of such data, the potential riskof harm from unauthorized use or disclosure of such data, the purposes forwhich we process it, and the applicable legal requirements. If you have anyquestions about our data retention policy, please contact us by email at firstname.lastname@example.org.
4. Data Disclosure
We may disclose personaldata in the following instances:
Service Providers: We engage selectedthird-party companies and individuals as “Service Providers”, to performservices on our behalf or complementary to our own. These include providers ofThird Party Services (as defined in the Terms),such as: hosting and server co-location services, communications and contentdelivery networks (CDNs), data and cyber security services, billing and paymentprocessing services, fraud detection, investigation and prevention services,web and mobile analytics, email and communication distribution and monitoringservices, session or activity recording services, call recording, analytics andtranscription services, event production and hosting services, remote accessservices, performance measurement, data optimization and marketing services,social and advertising networks, content, lead generating and data enrichmentproviders, email, voicemails, video conferencing solutions, support andcustomer relation management systems, third-party customer support providers,and our legal, compliance and financial advisors and auditors.
Our Service Providersmay have access to personal data, depending on each of their specific roles andpurposes in facilitating and enhancing our Services or other activities, andmay only use the data as determined in our agreements with them.
Application Providersand Event Sponsors: Ifso instructed or permitted by you or your Account Admin, we may disclose yourpersonal data (such as your User Profile and contact details, as well asrelevant usage data) to the provider(s) of any third-party applications orintegrations added to your Account. Similarly, if you register to any eventthat we host, organize or sponsor, then with your permission we may discloseyour registration details to others, including the hosts, organizers, speakers,services providers and sponsors of that event, so that they may contact youwith relevant information and offers, or to fulfill any promotions related tothe event.
Customers and otherUsers: Yourpersonal data may be disclosed to the Customer owning the Account to which youare subscribed as a User (including data and communications concerning yourUser Profile), as well as other Users of that Account. Your personal data andactivity within the Services may also be monitored, processed and analyzed bythe Account Admin. This includes instances where you contact us for help inresolving an issue specific to a team of which you are a member (and which ismanaged by the same Customer).
Also, in cases whereyour personal data appears in boards within that Account that are set as“private” or with limited view privileges, the Account Admin(s) may stillaccess it on behalf of the Customer.
Any content submitted byyou to private boards may still be accessed, copied and processed by theAccount Admin(s). Your User Profile and personal data will also be madeavailable to all the authorized Users who can view the same board(s) as you.Please note that monday.com is not responsible for and does not control anyfurther disclosure, use or monitoring by or on behalf of the Customer(including sharing of boards or use of broadcast features within the Services),that itself acts as the “Data Controller” of such data (as further described inSection 9 below).
If you register oraccess the Services using an email address at a domain that is owned by youremployer or organization (our Customer), and another team within suchCustomer’s organization wishes to establish an account on the Services, certaininformation about you including your name, profile picture, contact info andgeneral use of your Account will become accessible to the Account Admin andUsers.
Services integrations: You or your AccountAdmin may choose to integrate your Account on the Services with third-partyServices (provided that such integration is supported by our Services). Theprovider of such integrated third-party Services may receive certain relevantdata about or from your Account on the Services, or disclose certain relevantdata from the account on the third-party provider’s Services with our Services,depending on the nature and purpose of such integration. Note that we do notreceive or store your passwords for any of these third-party Services (but dotypically require your API key in order to integrate with them). If you do notwish your data to be disclosed to such third-party Services(s), please contactyour Account Admin.
Feedback orRecommendations: Ifyou submit a public review or feedback, note that we may (at our discretion)store and present your review publicly, on our Sites and Services. If you wishto remove your public review, please contact us at email@example.com.If you choose to send others an email or message inviting them to use theServices, we may use the contact information you provide us to automaticallysend such invitation email or message on your behalf. Your name and emailaddress may be included in the invitation email or message.
Community Forum: Our Sites includepublic blogs or forums, such as monday.com Community and Startup for Startup.We also manage and participate in various social channels and communities onother platforms. Any information you submit on these forums, blogs and communities– including profile information associated with the User Profile you use topost the information – may be read, collected, and used by others who accessthese Sites. Due to the nature of such public forums, your posts andcertain profile information may remain visible to all even after you terminateyour User Profile. To request removal of your information from publiclyaccessible Sites operated by us, please contact us as provided in Section 10below and note the Sites from which you would like your information to beremoved. In some cases, we may not be able to remove your information, in whichcase we will let you know if we are unable to and why.
Legal Compliance: In exceptionalcircumstances, we may disclose or allow government and law enforcementofficials access to your personal data, in response to a subpoena, searchwarrant or court order (or similar requirement), or in compliance withapplicable laws and regulations. Such disclosure or access may occur if webelieve in good faith that: (a) we are legally compelled to do so; (b)disclosure is appropriate in connection with efforts to investigate, prevent,or take action regarding actual or suspected illegal activity, fraud, or otherwrongdoing; or (c) such disclosure is required to protect the security orintegrity of our products and Services.
Protecting Rights andSafety: Wemay disclose your personal data to others if we believe in good faith that thiswill help protect the rights, property or safety of monday.com, any of ourUsers or Customers, or any members of the general public.
For the avoidance ofdoubt, monday.com may disclose your personal data in additional manners,pursuant to your explicit approval, if we are legally obligated to do so, or ifwe have successfully rendered such data non-personal and anonymous.
For the purposes of theCCPA, in the past twelve (12) months, we may have disclosed Identifiers;Professional or Employment-Related Information; Internet or other ElectronicNetwork Activity Information; Customer Records Information; and GeolocationInformation to the third parties listed above.
5. Cookies and TrackingTechnologies
Our Sites and Services(including some of our Services Providers) utilize “cookies”, anonymousidentifiers, pixels, container tags and other technologies in order for us toprovide and monitor our Services and Sites, to ensure that they performproperly, to analyze our performance and marketing activities, and topersonalize your experience. Such cookies and similar files or tags may also betemporarily placed on your device. Certain cookies and other technologies serveto recall personal data, such as an IP address, as indicated by a Prospect,User or Technology Partner. To learn more about our practices concerningcookies and tracking, please see our CookiePolicy. You may also use the “Cookie settings” feature available inour Services depending on your location and activity on our Services, asapplicable.
Please note that we donot change our practices in response to a “Do Not Track” signal in the HTTPheader from a browser or mobile application, however, most browsers allow youto control cookies, including whether or not to accept them and how to removethem. You may set most browsers to notify you if you receive a cookie, or toblock or remove cookies altogether.
We engage in Servicesand promotional communications, through email, phone, SMS and notifications.
Services Communications: We may contact youwith important information regarding our Services. For example, we may send younotifications (through any of the means available to us) of changes or updatesto our Services, billing issues, log-in attempts or password reset notices,etc. Our Customers, and other Users on the same Account, may also send younotifications, messages and other updates regarding their or your use of theServices. You can control your communications and notifications settings fromyour User Profile settings, or otherwise in accordance with the instructionsthat may be included in the communications sent to you. However, please notethat you will not be able to opt-out of receiving certain Servicescommunications which are integral to your use (like password resets or billingnotices).
PromotionalCommunications: Wemay also notify you about new features, additional offerings, events andspecial opportunities or any other information we think you will find valuable,as our Customer, User, Prospect or Technology Partner. We may provide suchnotices through any of the contact means available to us (e.g. phone, mobile oremail), through the Services, or through our marketing campaigns on any othersites or platforms. If you do not wish to receive such promotionalcommunications, you may notify monday.com at any time by sending an email firstname.lastname@example.org, changing your communications preferences in your UserProfile settings, or by following the “unsubscribe”, “stop”, “opt-out” or“change email preferences” instructions contained in the promotional communicationsyou receive.
7. Data Security
In order to protect yourpersonal data held with us, we use industry-standard physical, procedural andtechnical security measures, including encryption as appropriate. However,please be aware that regardless of any security measures used, we cannot and donot guarantee the absolute protection and security of any personal data storedwith us or with any third parties as described in Section 4 above. To learnmore, please visit our Trust Center.
8. Data Subject Rights
If you wish to exerciseyour privacy rights under applicable law (including the EU or UK GDPR, SwissFederal Data Protection Act or the CCPA), such as (each to the extentapplicable to you under the laws which apply to you) – the right toknow/request access to (specific pieces of personal data collected; categoriesof personal data collected; categories of sources from whom the personal datawas collected; purpose of collecting personal data; categories of third partieswith whom we have disclosed personal data), to request rectification or erasureof your personal data held with monday.com, or to restrict or object to suchpersonal data’s processing (including the right to direct us not to sell yourpersonal data to third parties now or in the future), or to obtain a copy orport such personal data, or the right to equal Services and prices (e.g.freedom from discrimination) – please contact us by email at email@example.com.If you are a GDPR-protected individual, you also have the right to lodge acomplaint with the relevant supervisory authority in the EEA or the UK, asapplicable.
You may designate anauthorized agent, in writing or through a power of attorney, to request toexercise your privacy rights on your behalf. The authorized agent may submit arequest to exercise these rights by emailing us. In such cases, we may request furtherinformation to verify such power of attorney and authorization.
We may redact from thedata which we make available to you, any personal or confidential data relatedto others.
Certain data protectionlaws and regulations, such as the GDPR or the CCPA, typically distinguishbetween two main roles for parties processing personal data: the “datacontroller” (or under the CCPA, “business”), who determines the purposes andmeans of processing; and the “data processor” (or under the CCPA, “serviceprovider”), who processes such data on behalf of the data controller (orbusiness). Below we explain how these roles apply to our Services, to theextent that such laws and regulations apply.
monday.com is the “dataprocessor” of personal data contained in Customer Data, as submitted by ourCustomers and their Users to their Account’s boards, items and docs. We processsuch data on behalf of our Customer (who is the “data controller” of such data)and in accordance with its reasonable instructions, subject to our Terms,our DataProcessing Addendum (to the extent applicable) and othercommercial agreements with such Customer.
Our Customers are solelyresponsible for determining whether and how they wish to use our Services, andfor ensuring that all individuals using the Services on the Customer’s behalfor at their request, as well as all individuals whose personal data may beincluded in Customer Data processed through the Services, have been providedwith adequate notice and given informed consent to the processing of theirpersonal data, where such consent is necessary or advised, and that all legalrequirements applicable to the collection, use or other processing of datathrough our Services are fully met by the Customer. Our Customers are alsoresponsible for handling data subject rights requests under applicable law, bytheir Users and other individuals whose data they process through the Services.
If you would like tomake any requests or queries regarding personal data we process as a dataprocessor on our Customer’s behalf, including accessing, correcting or deletingyour data, please contact the Customer’s Account Admin directly.
10. Additional Notices
If you have anyquestions or would like to exercise your rights under the CCPA, you cancontact firstname.lastname@example.org.
Our Services are notdirected to children under the age of 16: We do not knowingly collect personal data fromchildren and do not wish to do so. If we learn that a person under the age of16 is using the Services, we will attempt to prohibit and block such use andwill make our best efforts to promptly delete any personal data stored with uswith regard to such child. If you believe that we might have any such data,please contact us by email at email@example.com.
DPO: monday.com hasappointed privacy veteran Aner Rabinovitz as our Data Protection Officer, formonitoring and advising on monday.com’s ongoing privacy compliance and servingas a point of contact on privacy matters for data subjects and supervisoryauthorities. Our DPO may be reached at firstname.lastname@example.org.
EU Representative: VeraSafe has beendesignated as monday.com’s representative in the European Union for dataprotection matters pursuant to Article 27 of the GDPR. VeraSafe may becontacted only on matters related to the processing of personal data of EUresidents. To make such an inquiry, please contact VeraSafe through this contact form.
UK Representative: monday.com UK 2020Ltd. has been designated as monday.com’s representative in the United Kingdomfor data protection matters pursuant to Article 27 of the UK GDPR. monday.comUK 2020 Ltd. may be contacted on matters related to the processing of personaldata of residents of the UK, at email@example.com.