Privacy Policy
We provide a service that allows you and your team to be more productive in your product management processes.
Our privacy policy is reviewed at regular intervals to ensure it meets the current statutory requirements.
This policy covers ProdPad and CreateShift websites, interaction with the company and use of the Services where CreateShift is acting as the Data Controller. By using CreateShift websites, interacting with the company and using the Services, you are agreeing to this privacy policy.
For details on the data protection and privacy while using the Services where CreateShift is acting as the Data Processor, see the Terms and Conditions.
For the purposes of this Privacy Policy, CreateShift Ltd (a UK registered company (8092272) with the registered office at 36 Brunswick Street West, Hove, BN3 1EL, UK) is the data controller “CreateShift”.
Our cookie policy is detailed here.
General Policy
Customer Data
Content and information submitted by users to the Services is referred to in this policy as “Customer Data”. As further explained below, Customer Data is controlled by the organization or other third party that created the account (the “Customer”). Where ProdPad collects or processes Customer Data, it does so on behalf of the Customer.
If you join an account and create a user profile, you are a “user,” as further described in the Terms of Service. If you are using the Services by invitation of a Customer, whether that Customer is your employer, another organization, or an individual, that Customer determines its own policies regarding storage, access, modification, deletion, sharing, and retention of Customer Data which may apply to your use of the Services. Please check with the Customer about the policies and settings it has in place.
CreateShift employees or contractors only access Customer Data at the request of Customer in order to provide support.
Customer Data is retained until a Hard Delete is requested by the Customer.
Customer Feedback
As part of providing Services to the Customer, CreateShift collects customer feedback and customer details (name, email, social media, telephone and avatar images) on behalf of the Customer and serves as a processor of that data for the Customer.
For the purposes of GDPR, we are a data processor of customer feedback on behalf of our clients. If you wish to exercise your data subject rights, you’ll need to contact the client who is the data controller. If you make a request of us in relation to this, we will redirect your request to the client and let you know we have done so.
Billing Information
Billing information is collected in order to fulfill the contract of providing Services to the Customer. The collected billing information includes credit card details, billing address, and billing contact. According to UK law, we are obliged to retain these details for a period of 6 years.
The billing information is processed by Recurly Inc. and Stripe Inc., both of which process the data in the US. The data is transferred to the US under the Standard Contractual Clauses.
Personal Information
Application
When creating a user account with the Services, you’ll be asked to provide your email and name. These are required in order to set up a unique account and for the transactional emails within the Services. Your email will also be used to help onboard you to the Services and provide you with information about the Services. All of the emails can be opted out of by clicking on the link in the email or going to the notifications control center in the Services.
You can optionally add an avatar image if you choose. During registration, we check Gravatar to see if you have made an avatar available and, if so, use that. At any time you can delete your avatar image from your profile.
Your email and name is also used with our in-application tracking for the legitimate interest of improving the Service. This tracking is used to identify issues, bugs and help us improve the product. We retain the information until you delete your account.
We also use your email and name for providing the legitimate interest of technical and sales support. We retain this information indefinitely. You can object to the processing of this information by contacting help@prodpad.com.
Appendix A and Appendix B have more details about usage, lawful basis, processors, processing location, and retention period.
Website
If you sign up to our newsletter, you are consenting to receiving newsletter and marketing communications about the Services from us. You can withdraw consent at any time by clicking “unsubscribe” in the emails.
If you request a physical resource (such as a physical copy of The Handy Guide for Product People), we require your name, email address and mailing address in order to fulfill the sending of the resource to you. When you request the resource, you can opt-in to joining our newsletter as well. We only use the entered details to fulfill the request.
If you join one of our e-courses or webinars, we’ll ask for your name and email address in order to fulfill your request to receive the course materials or attend the webinar. When you sign up for the course or webinar, you can opt-in to joining our newsletter as well. We only use the details provided to deliver the course or webinar to you. You can opt-out of continuing to receive the course by clicking on the “unsubscribe” link in the email. You can unsubscribe from the webinar with the link provided in the email.
We use data processors to manage the delivery of resources, newsletters, and e-courses. Those processors are based in the US, and are covered by Standard Contract Clauses and Swiss-US Privacy Shield.
Further details are available in Appendix A and Appendix B.
Other Information
Pseudo-anonymised usage data
We use analytics services to produce aggregate and pseudo-anonymised usage data on the usage of the application and websites. This data is used to help us resolve issues and improve the website and Services to provide you with the best experience possible. As part of this tracking, we capture details on your device (device type, OS type & version, browser type & version) and location (city, country).
See Appendix B for ways of opting out of the tracking.
3rd party information
We use data enrichers to enrich the data about you to help us provide better sales and support. The enriched data includes job title, information about your company. You can opt-out of the enrichment by going here.
Children’s information
Our Services are not directed to children under 16. Our clients can use our Services to collect customer feedback from children on their products or services which can include children’s personal information. It is up to our clients to ensure they have the appropriate lawful basis for collecting and processing that data.
If you feel that a child’s data is being processed without an appropriate lawful basis, you should contact the company or organization that collected the data in the first place with your concerns. You may contact us and we will redirect your enquiry to the company or organization concerned as required by the GDPR.
Data Security
We care about the trust you place in us in providing us with your company and personal information. While no one can guarantee 100% security, we have in place various methods of securing your data including:
- Encryption-in-rest and in-transit
- Minimization of personal data collected to what is required to deliver the Services and websites
- Usage of firewalls, regular vulnerability scans, and intrusion detection
You can get more information about our security here.
Your Individual Data Rights
You have various rights over your personal information. Those rights are:
- Being informed about data collected and how it is processed
- Access to the data we have on you
- Being able to correct and update the data we have on you
- Erasure of the data we have on you
- Restricting of the processing of the data we have on you
- Being able to move the data we have on you to another service
- Knowledge of what automated decision-making and/or profiling we do with your personal information
There are circumstances when your data rights can be overridden, such as in the case of billing information which is required to be maintained for 6 years under UK law.
We don’t do any automated decision-making or profiling.
We provide you with information about the data collected and how it is processed via this privacy policy and the privacy notices displayed when we collect the data.
You can access and update (rectify) the Personal Information we have on you by logging into the Service. If you wish to rectify information in other services please email help@prodpad.com.
You can erase the data we have on you by closing and deleting your Service account. This will also anonymize the tracking data we have collected in the process of using the Service.
You can restrict various processing of your Personal Information by opting out of various services (see Appendix B).
Your Company Data Rights
You own the copyrights, IP, and other similar rights to the Company Data entered into the Service.
If you wish to close your company account with us you can request to cancel the subscription within the app. At that time you can export the data from your company account using the various export tools provided within the Service.
Tracking and Targeted Advertising
We may allow service providers and other third parties to use cookies and other tracking technologies to track your browsing activity over time and across our Site and third party websites. We may also partner with a third party ad network to either display advertising on our Site, to manage our advertising on other sites, or to provide you targeted advertisements based upon your interests on our Site or on third party sites.
We will update our cookie policy of details on advertising/targeting cookies if they are implemented.
You may opt out of having your personal information used for targeted ads by clicking here or if you are in the European Union, here, but you may still receive untargeted ads.
Other companies’ use of their tracking technologies is subject to their own privacy policies. Some Internet browsers may be configured to send “Do Not Track” signals to the online services that you visit. We currently do not respond to do not track or similar signals. To find out more about “Do Not Track,” please visit http://www.allaboutdnt.com.
In some of our communications, we use tracking means, such as a “click-through URL” linked to content on the Site. We track this data to help us measure the effectiveness of our customer communications.
Disclosure
We will not disclose Customer Data or Personal Information to any government, except as necessary to comply with the law or a valid and binding order of a law enforcement agency (such as a subpoena or court order).
If a law enforcement agency sends us a demand for Customer Data or Personal Information, we will attempt to redirect the law enforcement agency to request that data directly from Customer or Individual. As part of this effort, we may provide Customer or Individual’s basic contact information to the law enforcement agency.
If compelled to disclose Customer Data or Personal Information to a law enforcement agency, then we will give Customer or Individual reasonable Notice of the demand to allow the Customer or Individual to seek a protective order or other appropriate remedy unless we are legally prohibited from doing so.
Change of Ownership or other Business Transaction
In the event that CreateShift enters into a business transition, such as a merger, acquisition, or the sale of all or part of its assets (a “Business Transition”), users’ data (including personally identifiable information and non-personally identifiable information associated with the ProdPad services) will likely be part of the assets transferred.
In this event, we will notify you of any Business Transition. We will also notify you of any subsequent material changes to this Privacy Policy as a result of a Business Transaction and give you the opportunity to opt-out for information that we have collected before, or may collect after, a new Privacy Policy containing material changes takes effect.
Supervisory Authority
For the purposes of the GDPR legislation our Supervisory Authority is the UK’s Information Commissioner’s Office. If you wish to lodge a complaint about your data subject rights or the lawfulness of processing, you can do so by contacting the ICO.
Changes to this Privacy Policy
CreateShift may change this Privacy Policy from time to time. Laws, regulations and industry standards evolve, which may make those changes necessary, or we may make changes to our business. We will post the changes to this page and encourage you to review our Privacy Policy to stay informed.
If we make changes that materially alter your privacy rights, CreateShift will provide additional notice, such as via email or through the Services. If you disagree with the changes to this Privacy Policy, you should deactivate your Services account. Contact the Customer if you wish to request the removal of Personal Data under their control.
You understand and agree that if you use the CreateShift services after the effective date of the updated Privacy Policy, CreateShift will consider your use as acceptance of the updated Privacy Policy.
Learn more
Access to your information. If you wish to see the personal information we hold about you, please log in to the Settings section. If you have any further queries or concerns, please contact us at privacy@prodpad.com.
Last Updated: December 2023.
Appendix A – Personal Information Collected
| Personal Information | Processing | Lawful Basis of Processing | Retention Period |
|---|---|---|---|
| Stored and used to provide a unique account. Used to send transactional emails and product related updates | Contractual, Various Legitimate Interests | Until you request the deletion of your account | |
| Used to send product newsletter, e-courses and provision of other resources to you (including webinars) | Consent for the product newsletter and Contractual for the provision of resources and e-courses | Until you unsubscribe from the newsletter, 6 months after completion of a course or 6 months after a resource is delivered | |
| Used to provide support, sales/customer success and marketing | Contractual to provide support to trialists and subscribes and legitimate interest to ensure customer success with the product | 3 years after subscription or trial end for support & customer success.Sales/marketing on unsubscribe from campaigns | |
| Name | Storage and display in the application and transactional emails sent to you and other account users | Contractual, Various Legitimate Interests | Until you request the deletion of your account |
| Used to send product newsletter, e-courses and provision of other digital resources to you (including webinars) | Consent for the product newsletter and Contractual for the provision of resources and e-courses | Until you unsubscribe from the newsletter, 6 months after completion of a course or 6 months after a resource is delivered | |
| Used to provide support, sales/customer success and marketing | Contractual to provide support to trialists and subscribes and legitimate interest to ensure customer success with the product | 3 years after subscription or trial end for support & customer success.Sales/marketing on unsubscribe from campaigns | |
| Profile Image | Storage and display in the application | Consent based on your upload of an image either via Gravatar or manual upload | Until you request the deletion of your account or you change your profile image |
| IP address | Storage and usage in application tracking | Legitimate interest of security | Indefinite |
| Website tracking | Legitimate interest in improving the website for your benefit | 2 years after collection | |
| Analytics Cookies | Pseudo-anonymous id cookie used to aggregate session statistics | Legitimate interest of improving the application for your benefit | Up to 2 years |
| Mailing Address | Used to send physical resources to you | Consent | 6 months after delivery of the resource |
Appendix B – Personal Information Processors
| Processor | Information Processed | Location of Processing | Privacy Protections | Opt-out |
|---|---|---|---|---|
| Amazon Web Services, Inc. | Email, Name, IP address, Profile Image, IP address | EU | GDPR, Standard Contract Clauses, Data Processing Addendum | Delete your account |
| Help Scout PBC | Email, Name to provide customer support | US | Standard Contract Clauses, Data Processing Addendum | N/A |
| FullStory, Inc | Email, Name, IP, analytics cookie for customer support and analytics | US | Standard Contract Clauses, Data Processing Addendum | Opt-out |
| The Rocket Science Group, LLC d/b/a MailChimp | Email, Name for product newsletter | US | Standard Contract Clauses, Data Processing Addendum | Unsubscribe |
| Segment.io, Inc. | Email, Name for product analytics | US | Standard Contract Clauses, Data Processing Addendum | Delete your account |
| HubSpot, Inc | Email, Name, and other contact information for sales, marketing, and support purposes | US/EU | Standard Contract Clauses, Data Processing Addendum | Email sales to have your profile removed, unsubscribe from campaigns |
| Recurly, Inc | Name, Email for billing purposes | US | Standard Contract Clauses, Data Processing Addendum | N/A |
| Stripe, Inc | Name, Email for billing and fraud purposes | US | Standard Contract Clauses, Data Processing Addendum | N/A |
| Google, Inc (G Suite) | Email, name when contact us | US/EU | Standard Contract Clauses, Data Processing Addendum | |
| Google LLC | Analytics Cookie for anonymous tracking | US | Standard Contract Clauses, Data Processing Addendum | Opt-out with browser add-on |
| APIHub, Inc d/b/a Clearbit | Enrichment with non personal information (job title, company details) | US | Standard Contract Clauses, Data Processing Addendum | Opt-out |
| Zoom Inc | Email, Name for signup to the webinar and also to receive notifications about the webinar | US | Standard Contract Clauses, Data Processing Addendum | Click on emails sent by service |