Data Privacy Framework Notice

This Data Privacy Framework Notice (“DPF Notice”) describes how SuiteDash Services, LLC and its covered affiliates SuiteDash, Inc. and My Portal App, LLC (collectively, “SuiteDash,” “we,” “us,” or “our”) handle personal data received from the European Union, the United Kingdom (and Gibraltar), and Switzerland in reliance on the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework.

This DPF Notice should be read together with our Privacy Policy, which describes our overall personal data practices.

1. Adherence to the Data Privacy Frameworks

1.1 Participation. SuiteDash Services, LLC, including its covered affiliates SuiteDash, Inc. and My Portal App, LLC, complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce.

1.2 EU-U.S. DPF and UK Extension. SuiteDash has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. DPF Principles with regard to the processing of personal data received from the European Union and the United Kingdom (and Gibraltar) in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF.

1.3 Swiss-U.S. DPF. SuiteDash has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. DPF Principles with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.

1.4 Conflict. If there is any conflict between the terms in this DPF Notice and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

2. Scope of Coverage

2.1 Geographic Scope. This DPF Notice applies to personal data that SuiteDash receives in the United States from the EU, UK, and Switzerland in connection with the products and services SuiteDash provides to its customers.

2.2 Non-HR and HR Data. Coverage extends to both Non-HR data (such as data about customers, prospects, website visitors, and the contacts and end users that customers manage through the SuiteDash platform) and HR data (personal data about employees, past or present, that is processed through the SuiteDash platform on behalf of customer-employers in the context of the employment relationship).

3. Categories of Personal Data Collected

SuiteDash receives the following categories of personal data:

Identity data — name, username, title.
Contact data — email, phone, postal address.
Account credentials — stored in encrypted form.
Transaction and billing data — handled in part by third-party payment processors.
Customer-uploaded content — files, documents, communications, project data.
Usage and technical data — IP address, browser type, device information, log data.
HR-context data processed on behalf of customer-employers — which may include employee identification, contact information, role and department data, time and attendance information, and HR documents uploaded by the customer.

4. Purposes of Processing

4.1 General. SuiteDash processes personal data to provide the SuiteDash platform and related services, to administer customer accounts, to communicate with customers about their accounts, to provide customer support, to maintain platform security and integrity, to comply with legal obligations, and to improve the platform.

4.2 HR Data. For HR data specifically, SuiteDash acts as a data processor on behalf of customer-employers, who serve as the data controller, and processes HR data only to provide platform functionality as configured and instructed by the customer.

5. Right of Access, Correction, and Deletion

5.1 Individual Rights. EU, UK, and Swiss individuals have the right to access personal data about them that SuiteDash holds, and to request correction, amendment, or deletion of inaccurate data.

5.2 How to Make a Request. Requests should be directed to [email protected].

5.3 HR Data. For HR data, individuals should generally direct requests to their employer (the customer who controls the data); SuiteDash will support customer-employers in responding to such requests.

6. Choice (Opt-Out and Opt-In)

6.1 Opt-Out. SuiteDash will offer individuals the opportunity to opt out where personal data is to be (a) disclosed to a third party other than an agent acting on SuiteDash’s behalf, or (b) used for a purpose that is materially different from the purpose for which it was originally collected or subsequently authorized.

6.2 Sensitive Data Opt-In. For sensitive data (data about medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or data concerning sex life), SuiteDash will obtain affirmative express consent (opt-in) from the individual before such data is disclosed to a third party or used for a purpose other than originally authorized.

7. Onward Transfers and Accountability

7.1 Third-Party Agents. SuiteDash may transfer personal data to third-party agents and service providers who perform functions on SuiteDash’s behalf, including cloud infrastructure providers (Amazon Web Services), payment processors, and AI service providers (OpenAI and Google).

7.2 Safeguards. SuiteDash takes reasonable and appropriate steps to ensure that third-party agents process personal data in accordance with SuiteDash’s DPF obligations.

7.3 Liability. In the context of an onward transfer, SuiteDash remains responsible for the processing of personal data it receives under the DPF Principles and subsequently transfers to a third party acting as an agent on its behalf. SuiteDash remains liable under the DPF Principles if its agent processes such personal data in a manner inconsistent with the DPF Principles, unless SuiteDash proves that it is not responsible for the event giving rise to the damage.

8. Independent Recourse Mechanism

8.1 Commitment. In compliance with the DPF Principles, SuiteDash commits to resolve DPF Principles-related complaints about its collection and use of personal data. EU, UK, and Swiss individuals with inquiries or complaints regarding SuiteDash’s handling of personal data received in reliance on the DPF should first contact SuiteDash at [email protected].

8.2 Non-HR Data — BBB National Programs. SuiteDash has further committed to refer unresolved DPF Principles-related complaints concerning personal data other than HR data to BBB National Programs, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://bbbprograms.org/programs/all-programs/dpf-consumers/ProcessForConsumers for more information and to file a complaint. This service is provided free of charge.

8.3 HR Data — EU/UK/Swiss DPA Panel. For HR data, SuiteDash commits to cooperate with the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO), and the Swiss Federal Data Protection and Information Commissioner (FDPIC), as applicable, and to comply with the advice given by such authorities with regard to HR data transferred from the EU, UK, and Switzerland in the context of the employment relationship.

9. Binding Arbitration

Under certain conditions, individuals may invoke binding arbitration to address residual DPF Principles-related complaints not resolved by other means. For more information, please see https://www.dataprivacyframework.gov/s/article/G-Arbitration-Procedures-dpf.

10. U.S. Federal Trade Commission Enforcement

The Federal Trade Commission has jurisdiction over SuiteDash’s compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF.

11. Disclosure for National Security and Law Enforcement

SuiteDash may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.