Last update: 16 Nov October 2023
At The Mintable, Inc. dba Tandem Team, Inc. together with its Australian entity The Mintable Pty Ltd dba Tandem Team Pty Ltd ABN 87 653 712 719, (“Tandem”, “we”, “us”, or “our”) we provide tools and support to help your company achieve a high performance culture through continuous feedback.
Please read this policy carefully to understand how we handle and treat your personal information.
What information do we collect?
Tandem collects data to enable it to operate the Services effectively, and to provide you with the best experiences on our website and our Services. You provide some of this data to us directly, such as when you register to use our Services (whether directly through us, or indirectly through a collaboration service or third party service like Slack), subscribe to a newsletter, respond to a survey, make an enquiry through our website, contact us for support, or contact us as a prospective customer, vendor, supplier, or consultant. We get some of your data by recording how you interact with our website and our Services by, for example, using technologies like cookies. We also obtain and process data in the context of providing the Services.
The data we collect depends on the context of your interactions with Tandem, the choices you make (including your privacy settings), and the Services you use. The data we collect can include the following:
Name and contact information. We may collect your first and last name, email address, postal address, phone number, company information, and other similar contact data.
Payment information. When you add a payment method on our website, the information will be directly sent to and stored by our payment provider (currently, Stripe). We do not have access to complete payment information.
Customer information. When you subscribe to our Services, you will control what data is collected and stored on our systems. For example, you might give us the following types of data during your use of the Services: name and email address. In such cases, we act as a data processor, in accordance with your instructions.
Device and Usage information. We may collect data about your device and how you and your device interact with Tandem and our Services. For example, we may collect:
- Use data. We may collect data about the features you use, the Services you purchase, and the web pages you visit. This also includes your interactions on our website, and your interactions with us via email.
- Device, connectivity and configuration data. We may collect data about your device and the network you use to connect to our Services. This may include data about the operating system and other software installed on your device, including product keys. It may also include IP address, browser type, operating system, and referring URLs.
We also may collect and process personal information as described in Cal. Civ. Code § 1798.80(e) to the same extent and for the same reasons that we collect and process the corresponding type of personal information in the above list. For example, we may collect your name, a type of personal information in Cal. Civ. Code § 1798.80(e), as an identifier.
Sensitive personal information: We do not actively request sensitive personal information about you or process your personal information in a manner that allows us to derive sensitive personal information about you.
What do we use your information for?
We collect and use data that is reasonably necessary to operate our business, and to provide the Services to you. This includes using the data to improve our Services, and to personalize your experiences. We may also use the data to communicate with you to, among other things, inform you about your account, provide security updates, and give you information about the Services. We may also use the data to manage your email subscriptions, improve the relevance and security of our website, respond to user enquiries, send you periodic marketing communications about our Services, and improve the relevance of our advertising.
Providing and improving our Services. We use data to provide and improve the Services we offer, and to perform essential business operations. This includes operating the Services, maintaining and improving the performance of the Services, developing new features, conducting research, and providing customer support. Examples of such uses include the following:
- Providing the Services. We use data to carry out your transactions with us and to provide the Services to you. In certain cases, the Services include personalized features and recommendations that enhance your productivity and enjoyment, and automatically tailor your experience based on the data we have about you.
- Technical support. We use data to diagnose product problems, and to provide other customer care and support services.
- Improving the Services. We use data to continually improve our website and our Services, including system administration, system security, and adding new features or capabilities.
- Business Operations. We use data to develop aggregate analyses and business intelligence that enable us to operate, protect, make informed decisions, and report on the performance of our business.
- Recruitment. If you apply for a job with us, we use your data for recruitment purposes.
- Promotions. We may use your data to administer contests, promotions, surveys, or other site features.
- Improving Advertising Campaigns. We may use your data to improve our advertising campaigns, primarily in an effort to prevent targeting of impressions via third-party channels when they are not relevant to you.
- Sending Periodic Emails. We may use your data to send you periodic emails. We may send you occasional marketing emails about our products and services, which you can unsubscribe from at any time using the link provided in the message.
- Generally. We use data to respond to your enquiries and requests relating to our Services, to create and administer your accounts, and to provide us with information and access to resources that you have requested from us. We also use data for general business purposes, including, among other things, to improve customer service, to help us improve the content and functionality of our Services, to better understand our users, to protect against wrongdoing, to enforce our Terms of Service, and to generally manage our business.
- Communications. We use data we collect to communicate with you, and to personalize our communications with you. For example, we may contact you to inform you when your subscription is ending, to discuss your account, to let you know when updates are available, to remind you about features of the Services that are available for your use, to update you about a support request, or to invite you to participate in a survey.
- Benchmark data. We may use your de-identified data to develop and share benchmarking data. This benchmarking data can be used by users and customers to compare with others.
- Legal requests. If we receive a legal request or are informed of a situation that may cause harm, or potential harm, to someone, we may need to inspect your personal information or data to respond appropriately to that request or threat.
- Marketing purposes. We may send you news and information about our products or Services that you either request from us, or we believe may interest you (unless prevented by law). We may also combine information about you from third party sources with information we hold about you to create a user profile, which will help us to make our sales and marketing efforts more relevant to you and to personalize and improve your experience.
How do we retain data?
We may retain your personal information as long as you continue to use the Services, have an account with us, have Tandem installed on your collaboration service or other Third Party Account, or for as long as is necessary to fulfill the purposes outlined in the policy. You can ask to close your account by contacting us at the details above, and we will delete your personal information on request.
We may, however, retain personal information for an additional period as is permitted or required under applicable laws, for legal, tax, or regulatory reasons, or for legitimate and lawful business purposes.
We will retain your personal data for as long as necessary to provide the Services to you, or for other essential purposes such as complying with our legal obligations, resolving disputes, and enforcing our agreements. Because these needs can vary for different types of data in the context of the different Services we provide, actual retention periods can vary significantly. The criteria we use to determine the retention periods include:
- How long is the personal data needed to provide the Services and/or operate our business? This includes such things such as maintaining and improving the performance of the Services, keeping our systems secure, and maintaining appropriate business and financial records. This is the general rule that establishes the baseline for most data retention periods.
- Is Tandem subject to a legal, contractual, or similar obligation to retain the data? Examples can include mandatory data retention laws in the applicable jurisdiction, government orders to preserve data relevant to an investigation, or data that must be retained for the purposes of litigation.
- Is Tandem installed on your collaboration service? Removing Tandem from your collaboration service or other Third Party Account is a prerequisite for complete data deletion.
How do we protect your information?
We follow industry-standard security practices to ensure the confidentiality, integrity, and availability of customer data.
Our website is scanned on a regular basis for security holes and known vulnerabilities in order to make our services as safe as possible. Your personal information is contained behind secured networks and is only accessible by a limited number of persons who have special access rights to such systems, and are required to keep the information confidential. In addition, all sensitive information you supply is encrypted and transferred via Secure Socket Layer (SSL) technology. However, please note that we cannot guarantee that the information will not be exposed as a result of unauthorized penetration to our servers. As the security of information depends in part on the security of the computer, device or network you use to communicate with us and the security you use to protect your user IDs and passwords, please make sure to take appropriate measures to protect this information.
The following are the key security controls implemented in our hosting architecture, data handling, encryption, network controls and identity and access controls:
Hosting Architecture. Services are hosted on Amazon Web Services (AWS), with shared security responsibilities between Tandem and AWS, as per the AWS Shared Responsibility Model. Tandem is responsible for data security and encryption, application security and deployment, identity access management, and network and firewall configuration. AWS manages the underlying infrastructure, including hardware, software, networking, and facilities.
Encryption, Data Storage, and Data in Transit. Data stored by our platform is encrypted at rest using the Advanced Encryption Standard (AES) algorithm. AWS services utilized by the Slack application, such as Amazon RDS and Amazon ElastiCache for Redis, are configured to use encryption at rest. Data remains encrypted throughout the backup process, and strict security controls are in place to protect the encryption keys. Data in transit between end-users and our systems is encrypted using Transport Layer Security (TLS) and AES. This includes all network communication between the platform and Slack and between the platform and OpenAI.
Network Controls. Our application is hosted within a private Virtual Private Cloud (VPC) on AWS.Network segmentation is implemented to separate the API communication services from data handling processes, ensuring enhanced control and security. Security Groups act as stateful firewalls, permitting access only between specific resources with logical boundaries, reducing the attack surface and preventing unauthorized access to critical resources. Network Access Control Lists (NACLs) provide an additional layer of security, controlling traffic to and from subnets within our VPC.
Identity and Access Security Controls. We utilize AWS Identity and Access Management (IAM) service to manage access to our systems. IAM user accounts are provisioned solely for Tandem employees responsible for developing and maintaining the Services. We follow a role-based access control (RBAC) model, where IAM roles are assigned based on organizational roles, responsibilities, and the principle of least privilege.
Do we disclose any information to outside parties?
We share your personal data with your consent, or as necessary to provide the Services to you. We also share your data with vendors working on our behalf; when required by law or to respond to legal process; to protect our customers; to protect lives; to maintain the security of our Services; and to protect our rights or our property.
We share your personal data with your consent, or as necessary to provide the Services to you. We also share personal data with vendors or agents working on our behalf for the purposes described in this Policy. For example, companies we have hired to provide cloud hosting services, off-site backups, and customer support may need access to personal data to provide those functions. In such cases, these companies are required to abide by our data privacy and security requirements and are not allowed to use personal data they receive from us for any other purpose.
We may disclose your personal data as part of a corporate transaction such as a corporate sale, merger, reorganization, dissolution, or similar event.
Finally, we will access, transfer, disclose, and/or preserve personal data, when we have a good faith belief that doing so is necessary to:
- comply with applicable law or respond to valid legal process, judicial orders, or subpoenas;
- respond to requests from public or governmental authorities, including for national security or law enforcement purposes;
- protect the vital interests of our users, customers, or other third parties (including, for example, to prevent spam or attempts to defraud users of our products, or to help prevent the loss of life or serious injury of anyone);
- operate and maintain the security of our Services, including to prevent or stop an attack on our computer systems or networks;
- protect the rights, interests or property of Tandem or third parties;
- prevent or investigate possible wrongdoing in connection with the Services; or
- enforce our Terms of Service.
We may use and share aggregated non-personal information with third parties for marketing, advertising, and analytics purposes.
We do not sell or trade your personal information to third parties.
How does Tandem process data?
We collect, use and share the data that we have in the ways described above:
- as necessary to fulfill our Terms of Service
- as necessary to comply with our legal obligations
- consistent with your consent, which you may revoke at any time
Data controller/Processor. Certain data protection laws and regulations, such as the EU GDPR, UK GDPR and the CCPA, typically distinguish between two main roles for parties processing personal data: the “data controller” (or under the CCPA, “business”), who determines the purposes and means of processing; and the “data processor” (or under the CCPA, “service provider”), who processes the data on behalf of the data controller (or business). Below we explain how these roles apply to our Services, to the extent that such laws and regulations apply.
- Tandem is the “data processor” of Customer Data, which we process on behalf of our Customer (who is the “data controller” of such data; and our Service Providers who process such Customer Data on our behalf are the “sub-processors” of such data. This includes organizational information, aggregated data, application, and employee information.
- Tandem is both a “data controller” and “data processor” of User Data. Such data is processed by Tandem for its own purposes (such as analytics), as an independent ‘controller’; whilst those certain portions of it which are included in Customer Data will be processed by us on behalf of our Customer, as a ‘processor’.
Tandem relies on subprocessors, which are third-party service providers that we engage to process personal information on our behalf in connection with the provision of our Services.
The following is a list of our subprocessors:
Stripe. We use Stripe to process payments for our Services. Stripe is a third-party payment processor that handles all aspects of the payment process, including the collection and storage of your payment information. When you make a payment on our platform, your payment information is processed and stored by Stripe.
Google Analytics. We use Google Analytics to collect and analyze data related to the use of our Website and Services. This includes information about how users interact with our Website, what pages they visit, and how they found our Website. Google Analytics processes this data to help us understand user behavior and improve our Services.
Hotjar. We use Hotjar as an additional analytics tool to help us understand how users interact with our Services. Hotjar collects and processes data about user behavior, including the pages visited, time spent on the Website, and other user interactions. This information helps us to improve the user experience and optimize our Services.
Hubspot. We use Hubspot to store data about prospects and customers and receive and reply to inquiries from prospects, customers, and users of our Services. We also collect form submissions from our website and other parts of our Services.
Tandem’s Slack application (“Slack App”)
The Slack App allows users to log and share feedback and generate feedback scripts. Once installed in an organization’s Slack workspace, users of that workspace can command the application to generate feedback. The user will be prompted to provide specific information to help generate the feedback script. To facilitate this functionality, the application uses a combination of Tandem’s knowledge base on sharing great feedback and OpenAI’s natural language processing capabilities.
Storage of Workspace Information. The application securely stores the workspace ID and name of the workspace where it is installed. This information is used to identify and interact with the specific workspace.
OAuth2 Workflow. The application uses Slack’s OAuth2 workflow during installation.Exchange codes are received and used to obtain a bot token, which serves as a unique identifier for the application and is used for making Slack API requests.
Requested Scopes. During the authentication process, the application requests specific scopes to ensure its functionality. See table below:
|Send messages as @Manager Assistant
|Enables the application to respond to user prompts as messages
|Add shortcuts and/or slash commands that people can use
|Enables users to begin a feedback generation thread with our app through the Slack command /mgr-feedback [prompt]
|View messages and other content in direct messages that Manager Assistant has been added to
|Enables the application to retrieve messages for each feedback generation thread. This will be used as context when generating the appropriate feedback script
|View basic information about direct messages that Manager Assistant has been added to
|Enables the application to timely process any direct message that was sent to it
|Start direct messages with people
|(Future use) We intend to provide timely notifications to users as reminders on sending feedback
|Add and edit emoji reactions
|Enables the application to react to a user’s slack command providing immediate feedback
Storage of Bot Token. To ensure secure communication with Slack’s API, the bot token generated during installation is stored in a database within Tandem’s platform’s secure VPC (see Platform details below).
Feedback Generation Threads. The application provides a feedback generation feature accessed via the “/draft-feedback” slash command.User-initiated feedback generation threads are created.All messages exchanged between users and the application, within each feedback generation thread, are stored in a database on Tandem’s platform.As per the Slack Developer Policy, all data will be removed within 14 days of the app being removed from a workspace.
Slack App OpenAI Integration. As part of the feedback generation process, the application uses OpenAI’s API to interpret messages received from users and help generate feedback scripts. Messages that are part of feedback generation threads are securely sent to OpenAI. All communications sent to OpenAI are encrypted in transit. As per OpenAI’s API data usage policy, messages sent to OpenAI are not used to train its models and are deleted 30 days after being received.
Yes. Cookies are small files that a site or its service provider transfers to your computer’s hard drive through your Web browser (if you allow) that enables the sites or service providers systems to recognize your browser and capture and remember certain information. You can choose to disable cookies, but if you do, your ability to use or access certain parts of our website may be affected.
You may refuse to accept cookies by activating the setting on your browser that allows you to refuse the setting of cookies. You can find information on popular browsers and how to adjust your cookie preferences at the following websites:
- Google Analytics. We have enabled Google Analytics Advertising Features including Remarketing Features, Advertising Reporting Features, Demographics and Interest Reports, Store Visits, Google Display Network Impression reporting etc. We and third-party vendors use first-party cookies (such as the Google Analytics cookie) or other first-party identifiers, and third-party cookies (such as Google advertising cookies) or other third-party identifiers together. You can opt-out of Google Analytics Advertising Features including using a Google Analytics Opt-out Browser add-on found here. To opt-out of personalized ad delivery on the Google content network, please visit Google’s Ads Preferences Manager here or if you wish to opt-out permanently even when all cookies are deleted from your browser you can install their plugin here. To opt out of interest-based ads on mobile devices, please follow these instructions for your mobile device: On android open the Google Settings app on your device and select “ads” to control the settings. On iOS devices with iOS 6 and above use Apple’s advertising identifier. To learn more about limiting ad tracking using this identifier, visit the settings menu on your device.
How to Access and Control Your Personal Data (Data Subject Rights)
Customers are responsible for how the Services are used by members of their organization. How you can access and control your personal data will depend on how your company determines to use the Services. You do not have to provide personal information to us, however, if you do not, it may affect our ability to provide our Services to you and your use of our Services.
You can opt out from receiving marketing communications from us by using the opt-out link on the communication
Responsibility. Our Customers are solely responsible for determining whether and how they wish to use our Services. They are also responsible for ensuring that all individuals using the Services on the Customer’s behalf or at their request, as well as all individuals whose personal data may be included in Customer Data processed through the Services, have been provided with adequate notice. They must also be given informed consent to the processing of their personal data, where such consent is necessary or advised, and that all legal requirements applicable to the collection, recording, use or other processing of data through our Services are fully met by the Customer, including specifically in the context of an employment relationship. Our Customers are also responsible for handling data subject rights requests under applicable law, by their Users and other individuals whose data they process through the Services.
Data Erasure. You can request that Tandem delete your personal data by sending your Administrator a written request. On your behalf, your Administrator can email email@example.com with “Delete data request” in the subject line. We will use reasonable efforts to respond to your request within 14 days, but in all events within 30 days of our receipt of the request. Please note that we retain billing and usage metadata about a company or individual as required for compliance with law and regulation.
Access (Australian residents only). You may request access to the personal information that we hold about you. An administrative fee may be payable for the provision of such information. Please note, in some situations, we may be legally permitted to withhold access to your personal information. If we cannot provide access to your information, we will advise you as soon as reasonably possible and provide you with the reasons for our refusal and any mechanism available to complain about the refusal. If we can provide access to your information in another form that still meets your needs, then we will take reasonable steps to give you such access.
Correction (Australian residents only). If you believe that any information we hold about you is inaccurate, out of date, incomplete, irrelevant or misleading, please contact us using the details below. We will take reasonable steps to promptly correct any information found to be inaccurate, out of date, incomplete, irrelevant or misleading. Please note, in some situations, we may be legally permitted to not correct your personal information. If we cannot correct your information, we will advise you as soon as reasonably possible and provide you with the reasons for our refusal and any mechanism available to complain about the refusal.
Complaints. If you wish to make a complaint, please contact us using the details below and provide us with full details of the complaint. We will promptly investigate your complaint and respond to you, in writing, setting out the outcome of our investigation and the steps we will take in response to your complaint.
Your Communications Preferences. You can choose whether you wish to receive marketing communications from us. If you receive marketing communications from us and would like to opt out, you can do so by following the directions in that communication. Please note that these choices do not apply to mandatory communications that are part of the Services, or to surveys or other informational communications that have their own unsubscribe method.
Third Party Links. Occasionally, at our discretion, we may include or offer third party products or services on our website or through our Services. If you access other websites using the links provided, the operators of these websites may collect information from you that will be used by them in accordance with their privacy policies. These third party sites have separate and independent privacy policies. We, therefore, have no responsibility or liability for the content and activities of these linked sites. Nonetheless, we seek to protect the integrity of our site and welcome any feedback about these sites.
Where we Store and Process Personal Data; International Transfers. Personal data collected by Tandem may be stored and processed in the United States or in any other country where Tandem or its affiliates, future subsidiaries or service providers maintain facilities. The storage location(s) are chosen in order to operate efficiently, to improve performance, and to create redundancies in order to protect the data in the event of an outage or other problem. We take steps to ensure that the data we collect is processed according to the provisions of this Policy, and the requirements of applicable law wherever the data is located.
Additional Notices & Contact Details
Children’s Privacy. Our websites and Services are not intended for children under the age of 18 and we do not knowingly collect the personal information of children under the age of 18. If we become aware that we have inadvertently received the personal information of a child under the age of 18, we will delete such information from our records to extent permitted by law.
California Site Ownership Disclosure. Under California Civil Code Section 1789.3, California residents are entitled to the following specific consumer rights information: The provider of this website is Tandem, Inc., 13980 W. 78th Avenue, Arvada, CO, 80005 United States. To file a complaint regarding this website or to receive further information regarding use of this website, send a letter to the above address or contact us via e-mail at firstname.lastname@example.org. You may also contact the Complaint Assistance Unit of the Division of Consumer Services of the Department of Consumer Affairs in writing at 1625 North Market Blvd., Suite N 112, Sacramento CA 95834 or by telephone at 1-800-952-5210.
California “Do Not Track” Disclosure. “Do Not Track” is a web browser privacy preference that causes the browser to broadcast a signal to websites requesting that the user’s activity not be tracked. Currently, our websites do not respond to “Do Not Track” signals.
We will update this privacy statement when necessary to reflect customer feedback and changes in our Services. When we post changes to this statement, we will revise the “last updated” date at the top of the statement. If there are material changes to the statement or in how Tandem will use your personal data, we will notify you either by prominently posting a notice of such changes before they take effect or by directly sending you a notification. We encourage you to periodically review this privacy statement to learn how Tandem is protecting your information.
How to Contact Us
If you have a technical or support question, please contact us at email@example.com or lodge a request through this form.
If you have a privacy concern, complaint, or a question, please contact us by sending us an email at firstname.lastname@example.org. We will respond to questions or concerns within 30 days.
Unless otherwise stated, The Mintable, Inc. dba Tandem Team, Inc. is a data controller for personal data we collect through the Services subject to this statement. Our address is 13980 W. 78th Avenue, Arvada, CO, 80005 United States.