Introduction

We are Tray.ai, Inc. (“we”, “us” or “our”) and we provide a platform that allows you to easily automate complex processes in your organization (“Services”). Whilst we are based in the United States, we also have a wholly owned UK subsidiary (Plan.nr Ltd).

We put great efforts in making sure that we secure the personally identifiable information related to you (“Personal Information”) and use it properly. This privacy policy will tell you how we use and protect Personal Information when you interact with us and use our website or platform. Hence, we process Personal Information subject to the terms of this policy.

This privacy policy is an integral part of our Terms and Conditions or, if applicable, of any other Services agreement entered into between you (or the entity that you are acting on behalf) and us.

The Summary of this policy will give you a quick and clear view of our practices. Please take the time to read our full privacy policy.

A Summary of the Policy

Overview of our Services – Our Services provide our customers a platform which can easily automate complex processes in your organization.

What type of Personal Information do we collect? – We collect most of the Personal Information related to you through the registration and login processes to our Services and your engagement with our website.

The purposes of use of the Personal Information – We collect the Personal Information related to you, for various business purposes as further detailed in ‘The purposes of use of the Personal Information’ section of this privacy policy.

Sharing Personal Information with third parties – We share information with our service providers as necessary to facilitate our business. We will share information when we change our corporate structure, and we will share the information with our affiliated entity.

Cross-border transfer – We use cloud-based services to store and process data in the United States, European Union, United Kingdom and Australia and will store them at additional sites, at our discretion, in accordance with applicable laws.

How do we secure the Personal Information? – We implement physical, technical and organizational measures to secure your Personal Information from loss, misuse, unauthorized access or disclosure, alteration or destruction.

Aggregated and analytical information - Aggregated data is not identifiable. We use standard analytical tools for legitimate business purposes.

What are your choices? – You may opt-out of our mailing lists and terminate your use of our website. Termination of our Services is subject to the terms of the customer’s Services agreement with us.

Accessing Personal Information related to you – At any time you can request access to Personal Information related to you.

Specific provision for EEA residents – If we process Personal Information related to you when you are in the EEA, further terms apply to our processing in relation to your rights as a data subject under EEA data protection laws.

Specific provision for California residents – If you are a California resident, you are entitled to specific privacy rights.

Data retention – We retain different types of Personal Information for different periods, depending on the purposes for processing the information, our legitimate business purposes as well as pursuant to legal requirements.

No AI/ML Training with Google OAuth Data – We do not use data authenticated with our Google Workspaces OAuth application, service or API to train any generalized AI or ML models. This is as required and agreed to in partnership with Google. For further information about how we use consume data for AI or model training please refer to this: https://tray.ai/documentation/tray-uac/merlin-ai/how-does-merlin-ai-use-my-data/

Changes to this privacy policy – We will update this privacy policy from time to time after giving proper notice.

Contact us – Please contact us at: privacy@tray.ai, or at our offices located at Tray.ai, Inc. 25 Stillman Street, San Francisco, CA 94107, United States.

Overview of Our Services

Our Services provide our “Customers”, i.e. entities which engage in a contractual relationship for the provision of our Services, an online platform through which organizations can easily automate complex processes, and connect their entire cloud stack.

To the extent that our Customers have provided us with personal contact details, rather than corporate business contact information, then such personal contact details will be collected by us. As such, the Personal Information we collect is used for the business relationships with our Customers, and service providers which engage with us for the provision of Services, goods or assets (“Service Provider”).

What type of Personal Information do we process?

You provide most of the Personal Information through the registration and login processes to our Services and through the submission of your details on our website.

The Services and our website are not directed for children under 18 years of age and we do not intentionally or knowingly collect Personal Information on such users.

Website visitors

When you contact us, for example to get a demo of our Services or to subscribe to our blog, or for any other reason, we will receive and process any Personal Information that you provide to us, such as your name, phone number and email address. In addition, we will collect any Personal Information that you will provide to us while communicating with us, for example via our messaging platform.

We use cookies and similar tracking technologies to make it easier for you to log-in and to facilitate the website and Services activities, to analyze performance and marketing activities, and to personalize your experience. Please see which cookies we place and why at https://tray.ai/cookies. We also use standard analytics tools as described in the Section titled “Aggregated and analytical information” of this privacy policy.

Tray platform users

If you have expressed an interest in our Services, or you have signed up for an account on behalf of a Customer, we will use the contact information you provided, such as your name, phone number and email address, to better understand how we can tailor the Services to you and better inform our sales team.

To the extent that a Customer, or anyone on its behalf, has provided us with personal contact details, rather than corporate business contact information (e.g., office@organization.com), then the aforementioned information will constitute Personal Information of such user.

Note, that if you create an account with us, we will need additional Personal Information to ensure the security of your account. You will be asked to create a password which will not be viewable by us or provide an access token which will not be usable by us.

In addition, we will collect any information that you provide whilst building workflows in the course of using our Services, answering our surveys and providing us with feedback regarding our Services.

We will use your phone number or your email address to send marketing emails in order to contact you about the use of our Services or to promote services which we feel you will be interested in. If you communicate with us, phone calls may be recorded for staff training or sales quality purposes.

Tray’s job candidates

If you are sending us a job application or job inquiry we will ask you to provide us with Personal Information about yourself so we can evaluate your application. If this information is not provided, our ability to consider you as a candidate may be limited. All information is provided on a voluntary basis and you determine the extent of information that you provide to us. The kind of information we collect from job candidates can include:

Your first and last name, email address, a home, postal or other physical address, other contact information, title, occupation, industry, personal interests, CV, work permit or visa information (where applicable), educational and employment history, referrals and references, job preferences, and other information you provide us with.

The purposes of use of the Personal Information

We use the Personal Information we collect for all of the following purposes:

• To provide, maintain and improve our Services;

• To get in touch about a trial or demo of our product;

• To send Services-related updates, notices and announcements;

• To study and analyze the functionality of the Services and users' activities;

• To provide Customer support;

• To manage our relationships with our employees and job candidates;

• To manage business relationships with our Service Providers and Customers;

• To comply with court orders and warrants, and assist law enforcement agencies and to take any action in any legal dispute and proceeding;

• For our recordkeeping and protection of our legal rights;

• For analytics purposes; and

• To prevent fraud, misappropriation, infringements, identity thefts and any other misuse of the Services;

• Subject to your consent, if such is required under applicable law, to send you e-mail or other messages and/or newsletters about us or our Services, including through one of our Service Providers. At any time, you can unsubscribe from our mailing list by clicking on the unsubscribe link on the message.

If you are a job applicant, we use the Personal Information collected to evaluate and assess your job application and suitability for the relevant position, as well as other existing or future job openings pursuant to your consent, and to further contact you if the application process is successful.

We will process, use, retain and share Personal Information solely for the purposes described in this privacy policy and only when reasonably necessary and proportionate to achieve such purposes for which such information was collected and processed.

To the extent relevant and possible, we will make efforts to maintain the Personal Information accurate, complete and up to date.

Sharing Personal Information with third parties

Like many companies, we use a number of Service Providers to help us provide the Services. Whilst these Services will require Personal Information related to you to be disclosed, we only allow these Service Providers to use it as necessary to fulfill the purposes for collecting the Personal Information under this privacy policy and under strict conditions.

For example, if you are our user or a website visitor, your contact information will be shared with our Service Providers for the purpose of finding additional personal data relating to you (enrichment) to aid our sales team or to provide a more tailored service. In addition, we will use customer support and analytics services like Intercom and Segment to provide you with customer support and learn how you use our Services.

Where we believe, under our discretion, that an alternative service is more suited for the needs of your entity, we will share your contact information with our authorized partners based on your consent. The partners will reach out to you and will offer you either our offering or a 3rd party offering.

Furthermore, we share Personal Information with our corporate affiliate (Plan.nr Ltd.) that is our UK subsidiary, for the purpose of operating our Services.

We will disclose Personal Information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. In addition, we would disclose or use users' Personal Information to defend or enforce our legal rights and in accordance with any applicable law.

Additionally, a merger, acquisition or any other structural change will require us to transfer your Personal Information to another entity, as part of the structural change, provided that the receiving entity will comply with this policy.

Cross-border transfer

We are a global company with a headquarter in the US. We therefore process Personal Information in the US.

When processing Personal Data, we do so under the strict safeguards mentioned on our security page at https://tray.ai/trust.

When we transfer Personal Information to any of our service providers or partners in the US or a third country, we ensure that there is a lawful basis for the transfer (such as Standard Contractual Clauses as adopted by the European Commission, or a certification under the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework), in order to safeguard the transfer of Personal Information we collect from the European Economic Area, the United Kingdom (the "UK"), and Switzerland and to ensure that adequate protection for Personal Information relating to you is provided as required by applicable law.

Data Privacy Framework Notice

Tray complies with the principles of the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”) as set forth by the U.S. Department of Commerce. Tray has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (“EU-U.S. DPF Principles”) with regard to the processing of Personal Information received from the European Union in reliance on the EU-U.S. DPF, and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Tray has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles with regard to the processing of Personal Information received from Switzerland in reliance on the Swiss-U.S. DPF (the “Swiss-U.S. DPF Principles”, and together with the EU-U.S. DPF Principles, the “DPF Principles”). If there is any conflict between the terms in this Policy and the DPF Principles, the DPF Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov.

Under the DPF Principles we are responsible for the processing of Personal Information we receive and, subsequently, for the Personal Information that we then transfer to a third-party service provider acting as an agent on our behalf, if the Personal Information is processed in a manner inconsistent with the Data Privacy Framework.

If you are located in the European Economic Area, the United Kingdom, or Switzerland you may seek confirmation regarding whether Tray is processing Personal Information about you, request access to Personal Information, and ask that we correct, amend or delete your Personal Information where it is inaccurate or has been processed in violation of the DPF Principles. Where otherwise permitted by applicable law, you may use any of the methods set out in this privacy policy to request access to, receive, object to processing, restrict processing, seek rectification, or request erasure of Personal Information relating to you held by Tray.

Tray may be required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

If you have any questions, concerns, or complaints about our compliance with the DPF Principles, we encourage you to contact us under the contact details set forth in the section titled “Additional Information and Contact Details” below.

If you have an unresolved complaint regarding our handling of Personal Information we received in reliance on the Data Privacy Framework, please contact JAMS, our U.S.-based third-party dispute resolution provider (free of charge), at https://www.jamsadr.com/DPF-Dispute-Resolution.

Finally, if you have a complaint that we have violated the DPF Principles that has not been resolved by other means, you may have the ability to invoke binding arbitration as outlined more fully on the Data Privacy Framework website.

Tray is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).

How do we secure the Personal Information?

We understand the importance of the Personal Information we collect from our Customers and sensitivity of what our Customers may want to use our platform for. We therefore take maximum precautions and provide full transparency of how we do this. See our security page at https://tray.ai/trust for information on how we safeguard your data and the compliance certifications we maintain.

Among other things, we maintain the confidentiality of Personal Information related to you and we take reasonable steps to ensure that the Personal Information is accurate, complete, current and reliable for its intended use. We have put in place appropriate physical, technical and organizational controls to safeguard and secure Personal Information related to you from loss, misuse, unauthorized access or disclosure, alteration or destruction.

These measures provide industry standard security. However, although we make efforts to protect your privacy, we cannot guarantee that the Services or our website will be immune from cyber-attacks, malicious activities, malfunctions, honest mistakes or other types of abuse and misuse.

Cookies and other tracking technologies

We use cookies and similar tracking technologies in order to operate and improve our Services and learn about how you and other users use our Services. We share anonymous, statistical or aggregated extracts of such information with our partners for our legitimate business purposes. This has no effect on your privacy, because there is no reasonable way to extract data from the aggregated information that we or others can associate specifically to you.

More information about the cookies and other tracking technologies that we are using can be found at https://tray.ai/cookies.

What are your choices?

At any time, you may opt-out of our mailing list by contacting us. You may request that the Personal Information related to you will not be shared with our affiliates and Service Providers (other than those acting as our sub-processors). In the event that we intend to use the Personal Information related to you for a purpose that is materially different from the purpose(s) for which it was originally collected, we will inform you about this and will not use Personal Information related to you for such different purpose unless authorized by you.

You can exercise your choices by contacting us at: privacy@tray.ai.

It may take up to ten (10) business days for your opt-out request to take effect. Please note that certain opt-out requests may require us to terminate your user account, for example, if transferring your Personal Information to a Service Provider is essential to provide the Services.

Termination of the Services is subject to the terms of the Customer’s Services agreement with us. At any time, you can stop using the website and ask that we delete your Personal Information. However, we may store and continue using or making available certain Personal Information related to you. For further information, please read the Data Retention section in this privacy policy.

Some web browsers offer a "Do Not Track" ("DNT") signal. A DNT signal is a HTTP header field indicating your preference for tracking your activities on the Services or through cross-site user tracking. Our Services and website do not respond to DNT signals.

Accessing Personal Information related to you

If you find that the Personal Information that we keep about you is not accurate, complete or up to date, please provide us the necessary information to correct it.

At any time, you can contact us at: privacy@tray.ai and request to access the Personal Information that we keep about you. We will ask you to provide us certain credentials to make sure that you are who you claim to be and to the extent required under applicable law, will make good-faith efforts to locate the Personal Information that you request to access.

We will use judgment and due care to redact from the data which we will make available to you, Personal Information related to others.

Specific provision for residents of the European Economic Area, the United Kingdom or Switzerland

The General Data Protection Regulation (“GDPR”), the UK General Data Protection Regulation (“UK GDPR”) and the Swiss Federal Act on Data Protection (“FADP”) provide residents of the EEA, UK or Switzerland (as applicable) specific rights regarding their Personal Information. If the GDPR, or the UK GDPR or the FADP applies to the processing of Personal Information related to you by us, then the terms listed in this section apply, in addition to your rights under this Privacy Notice.

We base our processing of Personal Information (which is equivalent to the relevant term under the GDPR – “Personal Data”) as a Data Controller on the following lawful grounds:

1. All processing of Personal Information related to you which are not based on the lawful grounds indicated below, are based on your consent.

2. We process your Personal Information as a preliminary necessary step prior to initiating an engagement with the Customer or as necessary for the performance of the Services agreement with such Customer.

3. We will process Personal Information related to you to comply with a legal obligation and to protect yours and others' vital interests.

4. We will rely on our legitimate interests, which we believe are not overridden by your fundamental rights and freedoms, for the following purposes: -

5. Communications with you, including direct marketing where you are a Customer’s end-user, or where you make contact with us through our website and other digital assets;

• Cyber security;

• Support, customer relations, Services operations;

• Enhancements and improvements to yours and other Customers’ and Customers’ end-users’ experience with our Services;

• Fraud detection and misuse of our website and Services.

At any time, you can contact our privacy team at: privacy@tray.ai and request to exercise your rights in accordance with the provisions provided by law:

1. You are entitled to access the Personal Information that we keep about you together with information about how and on what basis the Personal Information is being processed and to rectify when such information is inaccurate. If you find that the Personal Information related to you is not accurate, complete or updated, then please provide us with the necessary information to correct it.

2. You can contact us if you want to withdraw your consent to the processing of Personal Information related to you, where applicable. Exercising this right will not affect the lawfulness of processing based on consent before its withdrawal.

3. You are entitled to request to delete or restrict access to Personal Information related to you in limited circumstances as described under the GDPR, subject to certain exceptions. If we need to delete Personal Information related to you following your request, it can take time until we completely delete residual copies of Personal Information related to you from our active servers and from our backup systems.

If you exercise one (or more) of the above-mentioned rights, in accordance with the provisions under the law, you are entitled to request to be informed that third parties that hold Personal Information related to you, in accordance with this privacy policy, will act accordingly.

1. You are entitled to request the transfer of Personal Information related to you in accordance with your right to data portability.

2. You are entitled to object to the processing of Personal Information related to you, for example in relation to direct marketing.

3. You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affecting you.

4. You have the right to obtain a copy of or access to safeguards under which Personal Information related to you is transferred outside of the EEA.

5. You have a right to lodge a complaint with a data protection supervisory authority of your habitual residence or place of work of an alleged infringement of the GDPR, UK GDPR or FDPA.

We do periodical assessments of our data processing and privacy practices, to make sure that we comply with this privacy policy, to update the privacy policy when needed, and to verify that the privacy policy is displayed properly and accessible.

We will look into your query and make good-faith efforts to resolve any existing or potential dispute with you. Note that when you send us a request to exercise your rights, we will need to reasonably authenticate your identity and location. We will ask you to provide us credentials to make sure that you are who you claim to be and will further ask you questions to understand the nature and scope of your request.

Where we process Personal Information as part of the Services, as a data processor of our users, we are committed to assist our data controllers in fulfilling the above mentioned rights under the GDPR.

If you have any concerns about the way we process Personal Information related to you, you are welcome to contact us at: privacy@tray.ai.

Specific provision for California residents

This section applies solely to users of our Services who reside in the State of California.

If you are a California resident, California Civil Code Section 1798.83 permits you to request in writing a list of the categories of personal data relating to third parties to which we have disclosed certain categories of personal data during the preceding year for the third parties’ direct marketing purposes. To make such a request, please contact us at: privacy@tray.ai.

In addition, as a California resident, the California Consumer Privacy Rights Act (“CPRA”) applies to you, therefore, the following information, rights and obligations also apply.

Below are details about the categories of Personal Information that we may have collected during the preceding twelve (12) months. The actual Personal Information that has been collected or disclosed within the following categories with respect to any particular California consumer in the last 12 months depends on the consumer’s particular interactions and relationship with us.

• Identifiers and Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)), such as your account name, phone number, email address, online identifier Internet Protocol address and as detailed under the section titled “What type of Personal Information do we process?” of this privacy policy;

• Biometric information where we record your phone calls with us for staff training or sales quality purposes.

• Internet or other electronic network activity information, including, but not limited to, website and mobile usage and session information, search history, and information regarding your interaction with an internet website, application or advertisement, and as detailed in our cookie policy at https://tray.ai/cookies.

• Geolocation data.

• Inferences drawn from other Personal Information.

We obtain the categories of Personal Information listed above from the following categories of sources:

• Directly from you and from your use of our website and Services;

• Third party Service Providers.

In the preceding twelve (12) months, we have used the categories of Personal Information that we have collected or received and we have disclosed it to the categories of third parties for the business purposes, as described above under the section titled “Sharing Personal Information with third parties”.

Your Rights as a California Resident (and other US States)

1. Right to know request - You have a right to request information about our collection, use, and disclosure of your personal information over the prior 12 months under the California Consumer Protection Act (CPRA), and to ask that we provide you with the following information:

   1. The categories of and specific pieces of Personal Information we collected about you;

   2. The categories of sources for the Personal Information we collected about you;

   3. Our business or commercial purpose for collecting that Personal Information;

   4. The categories of Personal Information that we disclosed for a business purpose, and the categories of third parties to whom we disclosed that particular category of Personal Information;

   5. If we disclosed your Personal Information for a business purpose, we will provide you with a list which will identify the Personal Information categories that each category of recipient obtained.

2. You can receive a copy of the Personal Information related to you by mail or electronically. Further, you can request to transfer specific Personal Information to another entity, provided that such transfer is technically feasible, in a structured, commonly used, machine-readable format. Correction Right - You have the right to ask us to correct Personal Information related to you that you find is erroneous, not accurate, complete or up to date.

3. Deletion Right - you have the right to request that we delete your Personal Information. Upon confirmation of your request, we will delete (and direct our Service Providers to delete) your Personal Information from our records, unless an exception under applicable law applies.

4. Non-discrimination - you also have a right not to be discriminated against for exercising your rights under the CPRA.

Exercising Your Rights

To exercise your rights under the CPRA as described above, please submit your request to us by sending an email to: privacy@tray.ai.

Only you or a person authorized to act on your behalf, can make a request related to your Personal Information. A request for access can be made by you only twice within a 12-months period.

We cannot respond to your request or provide you with the requested Personal Information if we cannot verify your identity or authority to make the request and confirm the Personal Information relates to you. We will only use the Personal Information provided in your request to verify your identity or authority to make the request. We will do our best to respond to your request within 45 days of its receipt. If we require more time (up to additional 45 days), we will inform you of the reason and extension period in writing.

Any disclosures that we provide will only cover the 12-month period preceding receipt of your request.

The response we provide will also explain the reasons for our inability to comply with your request, if applicable.

We do not charge a fee to process or respond to your request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will inform you of the reasons for such decision and provide you with a cost estimate before processing further your request.In the preceding twelve (12) months we have not sold, shared or disclosed Personal Information for consideration.

We do not use Personal Information for the purpose of automated decision-making.

Data retention and destruction

We retain different types of Personal Information for different periods, depending on the purposes for processing such information, our legitimate business purposes as well as pursuant to legal requirements under the applicable laws.

We will maintain your contact details, to help us stay in contact with you. At any time before or after the termination of the Services, you can contact our privacy team at privacy@tray.ai and request to delete your contact details.

Note that we may retain your details without using them unless necessary and for the necessary period of time, for legal requirements and proceedings, and that we will not retain the Personal Information related to you for any longer than reasonably necessary for purposes described in this privacy policy.

We will keep aggregated non-identifiable information without limitation, and to the extent reasonable we will delete or de-identify potentially identifiable Personal Information, when we no longer need to process the information.

In any case, as long as you use the Services, we will keep information about you, unless applicable law requires us to delete it.

Changes to this privacy policy

From time to time, we will need to update this privacy policy. If the updates have minor, if any, consequences, they will take effect immediately after we post a notice on the Services’ platform and/or our website, or after we send you the notice through email or through the Services. Substantial changes will be effective 30 days after we initially posted our notice. Changes to this privacy policy are effective as of the stated “last updated” date.

Continuing to use the Services or our website after the new privacy policy takes effect means that you agree to the new privacy policy. Note that if we need to adapt the privacy policy to legal requirements, the new privacy policy will become effective immediately or as required.

Contact us

If you have any questions about this privacy policy or would like to contact us regarding your Personal Information, please contact us at: privacy@tray.ai.

If you have any concerns about the way we process Personal Information related to you, you are welcome to contact our representative in the EU at: privacy-eu-rep@tray.ai. We will look into your inquiry and make good-faith efforts to respond promptly.

This privacy policy was last updated on October 8, 2024.