Privacy Policy

Last Updated: DRAFT September 27, 2021

Source: legal.mstipmanager.com/privacy/privacy/

MST Services include various cloud communications platform applications that provide Customers with tools to manage their intellectual property portfolios. These tools include the storage, organization and management of documents and communications related to Customer Data.

You can contact our Privacy Team in the Office of the Data Protection Officer by either emailing us at privacy@mstfirm.com or, by writing to us at: One Maritime Plaza, Fifth Floor, 720 Water Street, Toledo, Ohio 43604.

MST processes two broad categories of personal information when you use our products and services:

• Your personal information as a customer of MST’s services — information that we refer to as Customer Account Data, and

• The personal information of your end users and employees, contractors, partners, etc. who use or interact with your MST services and applications — this category contains both your Customer Usage Data (e.g., communications metadata) and your Customer Content (e.g., the contents of communications, documents and other stored data).

MST processes these categories of personal information differently because the direct relationship we have with you, our customer, is different than the indirect relationship we have with your end users.

How MST Processes Your Personal Information

Data protection laws and privacy laws in certain jurisdictions, like the European Economic Area (EEA), differentiate between “controllers” and “processors” of personal information. A controller decides why and how to process personal information.

A processor processes personal information on behalf of a controller based on the controller’s instructions. When MST processes your Customer Account Data, the MST entity with whom you are contracting is acting as a controller.

Broadly speaking, we use Customer Account Data to further our legitimate interests to:

• manage our relationship with you and other customers,

• carry out core business operations such as accounting, filing taxes, and fulfilling regulatory obligations and

• help detect, prevent, or investigate security incidents, fraud and other abuse and/or misuse of our products and services.

What Personal Information MST collects:

We collect and process your personal information:

• When you visit a MST website like mstipmanager.com or mstipsolutions.com, or make a request to receive information about MST or our products;

• When you contact our Support Team; and

• When you sign up for a MST account and use our products and services.

We call this personal information Customer Account Data. We also collect Customer Usage Data from you when you send or receive communications through your use of our services. This data might take different forms, and we might use it for different purposes — read on for more information.

Depending on your interactions with us, we might collect the following categories of personal information, and for the following reasons:

• We collect Identifiers, like your name and contact information (Customer Account Data), when you sign up or use our products or services and to do things like allow you to use our products, verify your identity, and communicate with you.

• We collect Commercial information when we keep track of the services that you purchase from us and our communications history about those services.

• We collect Internet and other electronic activity information, such as communications metadata, as you interact with our website or use our services. This metadata may be information about how you interact with our websites and the information on them; what features you use on our service; or it may be your Customer Usage Data as you send communications over the service.

• We collect Geolocation information when you use our products or services. Depending on the product or service, this could be location based on your IP address, or, such as if you are using our IoT products and services, based on the cell tower to which a mobile device is connected, or Wi-Fi triangulation.

• We collect Professional or employment information, such as your company or employer or your role at your company.

When we’re processing your personal information as our customer, we’re generally processing Customer Account Data or Customer Usage Data. When we do, we’re a controller, as we described above, and this Privacy Statement details the rules that control our use of that data.

In addition, as a processor and a service provider, we process Customer Content that may include personal information from any of those categories, plus others. If you’re an end user of a customer of ours, our customer will be able to help you with more details on what categories they’re collecting and using.

What Customer Account Data MST Processes When You Visit Our Website or Make a Request for Information about MST and Why

When you visit our website or request more information about MST, we collect information automatically using tracking technologies, like cookies, and through web forms where you type in your information. We collect this information to provide you with what you request through the web form, to learn more about who is interested in our products and services, and to improve navigation experience on our pages. Information You Share Directly: In some places on MST’s websites, you can fill out web forms to create an account or make a request. The specific personal information requested on these forms will vary based on the purpose of the form. We will ask you for information necessary for us to provide you with what you request through the form. We may also ask you for additional information to help us understand you better as a customer like your MST use case, your company name, or your role at your company.

Information We Collect Automatically: When you visit MST websites, including our web forms, we and our service providers acting on our behalf automatically collect certain information using tracking technologies like cookies, web beacons, and similar technologies. We use this information to understand how visitors to our websites are using them. This helps us understand how we can improve our websites. In addition, we use tracking technologies to help improve the navigation experience on MST websites. We don’t sell this information to third parties. For more details on our use of cookies and tracking technologies, please see our Cookie Notice.

What Customer Account Data MST Processes When You Communicate with Our Support Teams and Why

You may share personal information, like your contact information, with a member of our Support Team when you communicate with them. We keep a record of this interaction.

If you contact our Support Teams, those teams keep a record of that communication, including your contact details and other information you share during the course of the communication. We store this information to help us keep track of the inquiries we receive from you and from customers generally so we can improve our products and services and provide training to team members. This information also helps our teams manage our ongoing relationships with our customers. Because we store a record of these communications, please be thoughtful about what information you share with our Support Teams. While we will take appropriate measures to protect any sensitive information you share with us, it is best to avoid sharing any personal or other sensitive information in these communications not necessary for these teams to assist you.

What Customer Account Data MST Processes When You Sign Up for and Log Into an MST Account and Why

When you sign up for an account with us, we ask for certain information like your contact details and associated employer or company (our Customer) information so we can communicate with you and facilitate your use of our products and services. We also collect some information automatically, like your IP address, when you log in to your account or use an application within our Services. We use this to understand who is using our services and how, and to detect, prevent and investigate fraud, abuse, or security incidents.

Information You Share Directly: When you sign up for an MST account with us, you’ll be asked to give us your name, email address, and your company name, and to create a password. We collect this information so we know who you are, we can communicate with you about your account(s), and we can recognize you when you communicate with us through the account portal or otherwise.

When you first sign up for an account, we also ask you for a telephone number so we can communicate a verification code to that telephone number and have you enter the code into our website. This helps us ensure you’re actually a human being. An MST team member may also contact you at this number to help you with onboarding unless you tell us you don’t want us to contact you.

When you set up two-factor authentication for your account, we’ll ask you to enter a telephone number to set up the process. You have the option to use that telephone number as the method for us to communicate verification codes to you to verify that it is you logging into your account.

Similarly, for some of our products, you or your end user, whoever is going to be making use of the product, may have to complete an application form providing details about your company and your intended use of the product, like when you are interested in getting a short code. We’ll use this information for the purpose for which it was gathered from you. We may also use it in connection with improving our own internal processes and services or training our team members.

When you use our account portal, we collect your IP address and other data through tracking technologies like cookies, web beacons, and similar technologies. We use this information to understand how customers are using our platform, who those customers are (if they are a company and the IP address is associated with that company), what country they are logging in from (for analytics and export control purposes), and to help improve the navigation experience.

All information we collect when you sign up for a MST account and interact with the MST account portal or our products or services may be used to detect, prevent, or investigate security incidents, fraud, or abuse and misuse of our platform and services. We will also use it, and share it with our service providers, as needed for our operational purposes — such as to do things to function as a business and provide our services to you.

Other Customer Account Data We Collect and Why

We may collect information about you, as our customer, from publicly-available sources so we can understand our customer base better.

How Long We Store Your Customer Account Data

MST will store your Customer Account Data as long as needed to provide you with our services and to operate our business. If you ask MST to delete specific personal information from your Customer Account Data, we will honor this request unless deleting that information prevents us from carrying out necessary business functions.

Here is an overview of how long we hold on to Customer Account Data in a form that can be used to identify you, unless there is a specific need or obligation to retain your information longer (like in the case of an open investigation, audit or other legal matter):

• Customer Account Data stored in our customer relationship management system(s) is generally stored up to 7 years following closure of your account. Invoice records, including their digital equivalent, may be retained in identifying form by MST for longer periods for accounting, tax, and audit purposes depending on and in accordance with applicable law.

• Similarly, where we collect subscriber records, such as a physical address or identity information, in connection with providing our communications products and services, we will retain this data as needed for legal, security and anti-fraud purposes and depending on and in accordance with applicable local law.

• We may retain your communications with MST’s Customer Support Teams for up to 7 years after your account is closed.

• Apart from the above, within 60 days following closure of your account, we will either delete other Customer Account Data or transform it such that it can no longer be used to identify you.

How to Make Choices About Your Customer Account Data

You can make various choices about your Customer Account Data through the account portal, such as accessing it, correcting it, or deleting it, when you log into your MST account. Any other requests about your data you cannot make through these self-service tools, you can request by emailing privacy@mstfirm.com.

Closing Your Account and Deletion. To request closure or deletion of your MST account, you can email us at privacy@mstfirm.com. You should know that closure and/or deletion of your MST account will result in you permanently losing access to your account and data in the account. Please note that certain information associated with your account may nonetheless remain on MST’s servers in an aggregated form that does not identify you or your end users. Similarly, data, including personal information, associated with your account we are required to maintain for legal purposes or for necessary business operations (see “How Long We Store Your Customer Account Data” section above) will be retained after account closure until no longer needed.

If you are an end user of an application built on MST’s Services and not a direct customer of MST, you should direct requests relating to your personal information to the relevant application provider in accordance with the application provider’s own privacy policy.

California Consumer Access and Deletion Rights

For those customers that would like more information about our use of Customer Account Data or Customer Usage Data, you have the ability to request:

• that we provide details about the categories of personal information that we collect about you, including how we collect and share it;

• that we provide you access to the personal information we collect about you; and

• that we delete the personal information we have about you.

Please be aware that when you ask us for these things, we will take steps to verify that you are authorized to make the request.

As part of the services we provide to our customers, we provide you with a number of self-service features at no additional cost, including the ability to access your data, download a copy of your data, delete your data, or restrict the use of your data. If you need more help than that, let our Support team know; we will provide reasonable and timely assistance to assist you.

Please keep in mind that when you ask us for your personal information, or you ask us to delete your personal information, we may need to withhold or retain some of that personal information for security, legal, or anti-fraud reasons. Also, we do need some of the Customer Account Data and Customer Usage Data we have to maintain customer accounts. If you ask us to delete that information, we may not be able to continue providing you our services. This also means that we won’t be able to provide access to or delete information about customers who are the point of contact for businesses that use our services. If you would like to request access or deletion, you may email privacy@mstfirm.com.

How MST Processes Your End Users’ Personal Information

Your end users’ personal information typically shows up on MST’s Services in a few different ways:

• Communications-related personal information about your end users, like your end users’ phone numbers for number-based communications, your end users’ email addresses for email communications, IP addresses for IP-based communications, device status (indicating whether a device is available for messaging), or device tokens for push notifications, show up in our systems when you use or intend to use this information to contact your end user through use of our products and services.

• Your end users’ personal information may show up in “friendly names,” which are strings you provide, if you choose to include your end users’ personal information as part of a string.

• Your end users’ personal information may also be contained in the content stored within your applications or content of communications you (or your end users) send or receive using MST’s products and services.

We call the information in the first two bullets above Customer Usage Data. The information in the third bullet is what we refer to as Customer Content.

As noted above, data protection law (including privacy law) in certain jurisdictions, like the EEA, differentiate between “controllers” and “processors” of personal information. When MST processes Customer Content, we generally act as a processor. When we process Customer Usage Data, we act as a processor in many respects, but we may act as a controller in others. For example, we may need to use certain Customer Usage Data for the legitimate interests of billing, reconciling invoices with vendors, and in the context of troubleshooting and detecting problems with the network.

What Customer Usage Data and Customer Content MST Processes and Why

We use Customer Usage Data and Customer Content to provide services to you and to carry out necessary functions of our business as a communications service provider. We do not sell your end users’ personal information and we do not share your end users’ information with third parties for those third parties’ own business interests.

How Long Do We Store Customer Usage Data and Customer Content and Exercising Choices About End User Personal Information

Details regarding how long your end user personal information may be stored on MST systems and how to delete, access, or exercise other choices about end user data will depend on which MST products and services you are using and how you are using them. For that reason, the documentation for each of our products and services, along with Customer policies, are the best place to find more detailed information about managing end user data collected and stored in connection with your use of our products and services, as well as the particular data retention periods for your use case.

As an MST customer, if the MST product or service you use enables you to store records of your usage on MST, including personal information contained within those records, and you choose to do so, then MST will retain these records for as long you instruct. In some cases, use of extended storage may cost more. If you later instruct us to delete those records, we will do so. Please note that it may take up to 30 days for the data to be completely removed from all systems. In some cases, a copy of those records, including the personal information contained in them, may nonetheless be retained to carry out necessary functions like billing, invoice reconciliation, troubleshooting, and detecting, preventing, and investigating spam, fraudulent activity, and network exploits and abuse. Sometimes legal matters arise that also require us to preserve records, including those containing personal information. These matters include litigation, law enforcement requests, or government investigations. If we have to do this, we will delete the impacted records when no longer legally obligated to retain them. We may, however, retain or use records after they have been anonymized, if the law allows.

When and Why We Share Your Personal Information or Your End Users’ Personal Information

We do not sell or allow your Customer Account Data to be used by third parties for their own marketing purposes, unless you ask us to do this or give us your consent to do this. Further, we do not sell your end users’ personal information. We also do not share it with third parties for their own marketing or other purposes, unless you instruct us to do so.

Below are the different scenarios under which we may share your data with third parties.

• Other communications service providers for proper routing and connectivity. MST also enables sending or receiving communications through communications service providers. If you choose to use MST to send or receive communications by way of these providers, MST will share communications data with these providers as necessary to route and connect those communications from the sender to the intended recipient. How those communications service providers handle this data is determined by their own policies.

• Third-party service providers or consultants. MST engages certain third-party service providers to carry out certain data processing functions on our behalf. These providers are limited to only accessing or using this data to provide services to us and must provide reasonable assurances they will appropriately safeguard the data. In addition, MST may use service providers to help us detect potentially fraudulent or malicious accounts or customer activity. These providers may use machine learning as part of its service and certain Customer Account Data MST shares with them may be used in building machine learning models to help detect potential fraud or malicious activity that not only benefits MST, but other customers as well.

• Sub-processors. We may share Customer Content with sub-processors who assist in providing the MST services, like our infrastructure provider, or as necessary to provide optional functionality like communications. An up-to-date list of MST’s sub-processors is located here.

• Compliance with Legal Obligations. We may disclose your or your end users’ personal information to a third party if (i) we reasonably believe that disclosure is compelled by applicable law, regulation, legal process, or a government request (including to meet national security, emergency services, or law enforcement requirements), (ii) to enforce our agreements and policies, (iii) to protect the security or integrity of our services and products, (iv) to protect ourselves, our other customers, or the public from harm or illegal activities, or (v) to respond to an emergency which we believe in good faith requires us to disclose data to assist in preventing a death or serious bodily injury. If MST is required by law to disclose any personal information of you or your end user, we will notify you of the disclosure requirement, unless prohibited by law. Further, we object to requests we do not believe were issued properly.

• Other MST Group Entities. We may share your personal information or your end users’ personal information within the MST group of companies, such as with a subsidiary of MST, LLC. We and our subsidiaries will only use the information as described in this notice.

• Business transfers. If we go through a corporate sale, merger, reorganization, dissolution or similar event, data we gather from you may be part of the assets transferred or shared in connection with the due diligence for any such transaction. In that situation, and that situation only, we might transfer your data in a way that constitutes a sale under applicable law. If we do, we’ll let you know ahead of time, and any acquirer or successor of MST may continue to process data consistent with this notice.

• Aggregated or de-identified data. We might also share data with third parties if the data has been de-identified or aggregated in a way so it cannot be used to identify you or your end users.

If you’re a Californian interested in what personal information we have shared lately for our business purposes, here’s a list:

• Identifiers

• Commercial information

• Internet or other electronic activity information

• Geolocation information

• Professional or employment information

By “our business purposes,” we mean that we only share personal information as we describe in this section (in other words, with telephony operators, communications providers, and so on).

Transfers of Personal Information Out of the EEA and Switzerland

When you use our account portal, or our other products and services, personal information of you and your end users processed by MST will be transferred to the United States, where our primary processing facilities are located, and possibly to other countries where we or our service providers operate. These transfers will often be made in connection with routing your communications in the most efficient way.

MST employs appropriate safeguards for cross-border transfers of personal data, as required by applicable local law, including Standard Contractual Clauses.

While MST relies on strong transfer mechanisms to protect the data we transfer across borders, we understand that data transfer mechanisms do not operate in a vacuum. MST has taken to safeguard our customers’ personal data. Standard Contractual Clauses. MST relies on the European Union Model Clauses, also known as Standard Contractual Clauses to transfer personal information outside the EEA and Switzerland.

MST’s Data Protection Addendum. For more information about our cross-border data transfer mechanisms, please see the Data Protection Addendum which is part of your agreement with us. We provide this DPA by default, as an additional layer of protection for all our customers.

Data Collection and Email

For the most part, the SendGrid services collect the same data the MST services collect, and for the same reasons. The SendGrid services also collect some additional data in the form of web beacons placed in the body of emails delivered using the SendGrid platform. This allows us to keep track of whether or not an email has been delivered, opened, clicked on, whether it bounced or was treated as spam.

Automated Decision Making

MST may use automated decision making using a variety of signals derived from account activity to help identify and suspend accounts sending spam or engaged in other abusive or fraudulent activity. Holders of accounts suspended under these circumstances are notified of the suspension and given an opportunity to request human review of the suspension decision.

Handling disputes relating to our data protection practices

We hope we can resolve any disputes relating to our data protection practices between us. You can raise your concern or dispute by emailing our Privacy Team at privacy@mstfirm.com or by writing to us at: MST, One Maritime Plaza, Fifth Floor, 720 Water Street, Toledo, Ohio 43604.

For individuals in the EEA, you have additional rights to make a complaint to a competent data protection authority or commence proceedings in a court of competent jurisdiction in accordance with applicable data protection laws.

If you have a dispute with us relating to our data protection practices, please contact us by email at privacy@mstfirm.com.

If we can’t resolve the dispute through those channels and you are not in the EEA or Switzerland, the American Arbitration Association (www.adr.org) will conduct the dispute resolution proceedings. Please be sure to review our Terms of Service, before you use any of our products and services.

For those in the EEA or Switzerland, if you have a dispute with us relating to our data protection practices or are not satisfied with how we’ve addressed your concerns or questions, you may complain to an independent dispute resolution provider, at no cost to you. If you are a resident of the EEA, you also have the right to lodge a complaint with your local data protection authority or the Data Protection Commissioner in Ireland (where our EEA headquarters are based). Irish Data Protection Commissioner Officer of the Data Protection Commissioner Canal House, Station Road, Portarlington, Co. Laois, R32 AP23, Ireland Phone: +353 57 868 4757 Fax: +353 57 868 4757 Email: info@dataprotection.ie

How We Secure Personal Information

We use appropriate technical and organizational measures to protect the security of your personal information both online and offline. These measures vary based on the sensitivity of the personal information we collect, process and store and the current state of technology. We also take measures to ensure service providers that process personal data on our behalf also have appropriate security controls in place.

Please note that no service is completely secure. While we strive to protect your data, we cannot guarantee that unauthorized access, hacking, data loss or a data breach will never occur.

To protect the confidentiality of your account and protect from unauthorized use of your account, we require enabling two-factor authentication for your account. Additionally, you must keep your account password and Auth Token confidential and not disclose them publicly or to unauthorized individuals — this includes accidentally distributing them in a binary or checking them into source control. Please let us know right away if you think your password or Auth Token was compromised or misused.

Other Information You May Find Useful

Here’s some other information about our privacy practices, such as how we handle certain types of data like children’s data or protected health information, how we handle do-not-track signals, what to expect if we make changes to our notice, and the legal bases for processing personal information.

Information from Children

We do not knowingly permit children (under the age of 13 in the US or 16, if you live in the EEA) to sign up for an MST account. If we discover someone who is underage has signed up for a MST account, we will take reasonable steps to promptly remove that person’s personal information from our records. If you believe a person who is underage has signed up for a MST account, please contact us at privacy@mstfirm.com.

Do-Not-Track Signals

MST does not currently respond to web browser’s Do-Not-Track signals.

Changes to Our Privacy Notice

We may change our Privacy Notice from time to time. If we make changes, we’ll revise the “Effective” date at the top of this notice, and we may provide additional notice such as on the MST website homepage, account portal sign-in page, or via the email address we have on file for you. We will comply with applicable law with respect to any changes we make to this notice and seek your consent to any material changes if this is required by applicable law. Legal Basis for Processing Personal Information (EEA only)

If you are from the EEA, our legal basis for collecting and using the personal information described above will depend on the personal information concerned and the specific context in which we collect it. However, we will normally collect personal information from you only where we need the personal information to perform a contract with you, or where the processing is in our legitimate interests and not overridden by your data protection interests or fundamental rights and freedoms, or where we have your consent to do so. In some cases, we may also have a legal obligation to collect personal information from you or may otherwise need the personal information to protect your vital interests or those of another person such as in the case where we request personal information from you in the context of a government audit or in response to a request from law enforcement.

If you have questions about or need further information concerning the legal basis on which we collect and use your personal information, please contact us using the contact information provided in the introduction section of this privacy statement.