What personal information is processed?

Talkdesk restricts access to information to what is relevant, proportional, adequate, and necessary for the purposes for which it was collected, and it may vary according to the processing activity at stake, and it may include:

• identification data (first name, last name)

• contact data (business email address, business phone number),

• professional details (functional role, company name, country).

• resume, cover letter, and LinkedIn profile.

From whom is data collected?

We collect information from various individuals relevant to our processing activities, including, but not limited to, employees, job applicants, customer contacts, event participants, newsletter subscribers, and those who request e-books.

How it is collected?

Talkdesk may collect data directly from the data subjects or third parties.

When collecting directly from the data subject the information is provided voluntarily by the data subject to fulfil specific purposes, such as:

• Register on the Talkdesk website, Talkdesk “Knowledge Base”, Talkdesk Academy website, or Talkdesk Community.

• Expresses an interest in obtaining information about Talkdesk, Talkdesk products, services, and events.

• Interacts with Talkdesk’s social media campaigns via social networks.

• Apply for an open position.

• Chooses to download Talkdesk ebooks and use resources available on the Talkdesk website.

• Employment-related processes.

When collecting data from third parties, Talkdesk ensures that the data was collected lawfully and for a specific purpose, such as business contact information from an employer, reseller partners, trusted strategic alliances, or acquired professional contacts databases. Appropriate privacy and security assessments are performed to ensure compliance with applicable laws and regulations and that the data collection is lawful and fair.

Talkdesk may also collect information from publicly accessible resources.

What is the legal basis for processing?

The legal basis of each processing is defined on a case-by-case basis. Still, it can be performance or taking steps for the performance of a contract, compliance with a legal obligation, furtherance of a legitimate interest, or consent.

Please feel free to request more details from our Data Protection Officer, using the email address [email protected].

Why is personal information processed?

Having in mind the principle of data minimisation, Talkdesk collects the least amount of information required and only for the purposes specifically identified. The purposes for which personal data is processed include:

• Respond to requests.

• Recruiting and hiring management.

• Support sales efforts, including getting feedback from the engagement process, always from a B2B perspective.

• Send marketing information on our products and services marketing (including telemarketing) – B2B perspective.

• Customer relationship management.

• Provide support to our customers.

• Event registration.

• Cookie management.

• Ensure compliance with applicable laws and regulations, including but not limited to export control and sanctions laws, and assert Talkdesk’s rights or defend Talkdesk against any legal claim.

Use of Automated Systems and AI Processing
We may use automated systems, including artificial intelligence (AI), to process certain types of data for some of the purposes described above, such as AI chatbots, improving our services, and conducting analytics. These systems may analyze data in ways that assist decision-making, but final decisions affecting users will not be made solely by automated means unless legally permitted and appropriately disclosed.

Talkdesk may conduct automated screenings against applicable sanctioned-party lists and global watch lists and ask for clarifications in case of a potential match.

Talkdesk does not use or process personal data for purposes other than those for which the data were collected, does not sell personal information, and does not allow its sub-processors to sell personal information (as the term “sell” is defined under the CCPA).

How long is personal information retained?

The length of time personal information is retained depends on the type of personal information and the purposes for which it will be processed.

Data is deleted when it is no longer necessary to fulfil the purpose for which it was collected.

Under applicable legislation, Talkdesk provides more information on the data retention periods upon data collection.

To whom may personal information be transferred?

Talkdesk may share, transfer, or disclose personal information in specific situations to particular categories of recipients:

• Our trusted SaaS third-party providers act as processors under Talkdesk’s instructions.

• Talkdesk reseller partners are trusted strategic alliances that may support Talkdesk sales efforts according to privacy laws and regulations.

• Talkdesk partners and sponsors promote events according to privacy laws and regulations.

• Talkdesk affiliates are subject to Talkdesk’s security and privacy policies and applicable laws and regulations of each region.

• Government entities where the transfer of information is legally required under local laws or required to comply with legal requests.

• Potential buyers in connection with a merger & acquisition, or any transfer or sale.

Talkdesk has implemented mechanisms to choose and engage providers and, when required by law, disclose personal information to government entities.

Talkdesk does not sell personal information or allow its sub-processors to sell it (as the term “sell” is defined under the CCPA).

A list of Talkdesk’s processors can be provided if requested to [email protected].

In the context of an onward transfer, Talkdesk is responsible for processing personal data received under the EU-U.S. DPF and transfers to a third party acting as a processor on its behalf. Talkdesk remains liable under the principles of EU-U.S. DPF and the Swiss-U.S. DPF if its processor processes such personal information in a manner inconsistent with the principles unless the organization proves that it is not responsible for the event that caused the damages.

What are the data subject rights?

Data subjects’ rights depend on the applicable law. Talkdesk will include at least the following data subjects’ rights:

• Right of access: to obtain confirmation as to whether or not personal information concerning the data subject is being processed and, where that is the case, access to that personal information.

• Right to rectification: to obtain rectification of inaccurate personal information concerning the data subject.

• Right to erasure or be forgotten: to erase personal information concerning the data subject.

• Right to restrict processing: to restrict the processing of personal information to the extent permitted by law and following Talkdesk contractual and legal commitments.

• Right to data portability: to receive the personal information provided concerning the data subject in a structured, commonly used, and machine-readable format.

• Right to object: to object to the processing of the data subject’s data for reasons related to their particular situation.

• Right, not to be subject to automated decision-making: not to be subject to a decision based solely on automated processing.

• Right to withdraw consent: to remove consent for specific processing.

• Right to complaint: to lodge a complaint with an EU supervisory authority or invoke binding arbitration for complaints regarding DPF compliance not resolved by any of the other DPF mechanisms for additional information: “https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf?tabset-35584=2“.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Talkdesk commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF to an EU Data Protection Authority (DPAs), the UK Information Commissioner’s Office (ICO) or the Swiss Federal Data Protection and Information Commissioner (FDPIC), an alternative dispute resolution provider based in the European Union, United Kingdom, or Switzerland, respectively. If you do not receive a timely acknowledgement of your DPF Principles-related complaint from us, or if we have not addressed your 2 / 6DPF Principles-related complaint to your satisfaction, please visit https://edpb.europa.eu/about-edpb/about edpb/members en for EU Data_Protection Authorities, https://ico.org.uk/make-a-complaint/ for the UK Extension to the EU-U.S. DPF, or https://www.edoeb.admin.ch/edoeb/en/home/deredoeb/kontakt.html on the Swiss-U.S. DPF, for more information or to file a complaint. The services of these organisations are provided at no cost to you.

How can a data subject exercise its rights?

Data subjects may exercise their rights by submitting a request to the Data Protection Officer via email at [email protected].

In line with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, Talkdesk commits to resolving DPF Principles-related complaints about our collection and use of your personal information. EU, UK, and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF, UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF should first contact Talkdesk at [email protected].

Where is information stored?

As a US-headquartered multinational company, Talkdesk may collect, transfer, process, and store personal data not only in the United States but also by our affiliates based in other countries or third parties described in the preceding paragraph, based in the United States and other countries.

Talkdesk has also been established in Australia, Brazil, Canada, China, Portugal, the United Kingdom, Singapore, and India.

Personal data, when held digitally, is mainly stored in the US, and any transfer of information from the European Economic Area (EEA) and Switzerland to the US or other countries is made based on the following:

• Adequacy Decision: Countries designated by the European Commission as having adequate protection for personal information.

• Standard Contractual Clauses: Talkdesk relies on the European Commission’s model contracts (i.e., standard contractual clauses) to transfer personal information to third countries under Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

When held physically, personal data is stored in the exact location where it was produced.

How is information protected?

Talkdesk has implemented an Information Security and Privacy Information Management System (ISMS and PIMS) and a Business Continuity Management System (BCMS) as a framework for continuously improving security, privacy, and business continuity.

The ISMS, PIMS, and BCMS include Policies, Awareness of Security and Privacy, adequate procedural and technical controls, audit logging, and third-party due diligence, among other things.

Personal Information from Children

Talkdesk will never knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13, that information will be immediately deleted.

Because we do not collect such information, we have no information to use or disclose to third parties.

This notice complies with the Children’s Online Privacy Protection Act (COPPA).

California User Consumer Rights

Under California Civil Code Section 1789.3, California resident users are entitled to know that they may file grievances and complaints with the California Department of Consumer Affairs, 400 R Street, STE 1080, Sacramento, CA 95814, or by phone at 916-445-1254 or 800-952-5210; or by email to [email protected].

For more information about protecting your privacy, you may wish to visit http://www.ftc.gov.

A California resident can, under California Civil Code Section 1798.83, request information about the disclosure of personal information to third parties for direct marketing purposes. This privacy notice applies only to activities within the State of California. If you have questions about this privacy notice, please email [email protected].

According to the California Consumer Privacy Act 2018, consumers have the following rights:

• to delete personal information collected from them;

• to know what personal information a business has collected about them and how it is used and shared;

• to opt out of the sale and sharing of their personal information;

• to non-discrimination for exercising their CCPA rights;

• to correct inaccurate personal information that a business has about them, and

• to limit the use and disclosure of sensitive personal information collected about them.

Talkdesk shall respond to the requester within 45 days of receiving the request. To exercise these rights, submit to the Data Protection Officer by email at [email protected].

Data Protection Framework

Talkdesk complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the U.K. Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) set forth by the U.S. Department of Commerce, which certified Talkdesk.

Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) about the processing of 3 / 6personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in dependence on the U.K. Extension to the EU-U.S. DPF.

Talkdesk has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) about processing personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program and to view our certification, please visit https://www.dataprivacyframework.gov/.

Talkdesk is also subject to the investigation and enforcement of the Federal Trade Commission (FTC) or another statutory body that will effectively ensure compliance with the EU-US DPF principles. You can learn more about it at https://www.ftc.gov/. Talkdesk is committed to ensuring that the principles of the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the U.K. Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) are complied with, even after we leave the DPF program.

Why is personal information collected?

Personal data is collected to provide the service of Contact Center as a Service and to support and troubleshoot issues reported by the customers.

Talkdesk may use Artificial Intelligence (AI) systems to process personal data at customers’ request. Talkdesk provides a service to its customers that includes generative AI and Large Language Models (LLMs). These technologies offer enhanced customer interactions through unprecedented language understanding and generation capabilities, improve automation and efficiency for handling inquiries, personalization based on individual customer data, and 24/7 availability to increase accessibility and responsiveness. These systems are designed to operate within the legal safeguards defined by the EU AI Act and the GDPR. All data undergoes quality checks to reduce bias and ensure fairness.

What personal information is processed?

When Talkdesk provides a cloud service and processes data under the customers’ instructions, it acts as a processor. Therefore, compliance with the legal requirements by the controller when using Talkdesk’s products is the Customer’s responsibility.

To provide the service, Talkdesk may collect/access personal data such as:

• Agent: name, phone number, email, location-time, country, address, and IP;

• Contact: phone number, email, job title, name, company, and address;

• Call metadata: origin phone number, destination phone number, start date, time, and duration;

• Interaction metadata: conversation origin and destination, date, time, and duration;

• Content data: call recordings, chat transcriptions, email, messages, and screen recordings (if the Customer enables these features);

• Users (agent, supervisor, administrator): name, email, and associated phone number.

• Other: may also include physical or professional characteristics of the agent, such as gender or languages spoken.

Additional information may be collected if Talkdesk is integrated with other tools managed by the Customer.

Talkdesk doesn’t use AI systems to process personal data in a way that uses automated decision-making systems. All our AI systems are subject to human oversight and are regularly tested to ensure fairness and accuracy.

The provision of the Talkdesk Service includes authentication and permission verification for operational support and billing processing.

Talkdesk restricts access to the information to the minimum amount required to provide its services, and it will be processed according to the purposes for which it was collected.

How long is personal information retained?

The controller defines the retention periods for the information collected and stored in our systems.

When a customer terminates its contract with Talkdesk, the information is removed according to the Master Subscription Agreement or earlier upon request.

Talkdesk may retain anonymised data for extended periods to analyse how the service is used and improve it.

What are the data subject rights?

As a processor, Talkdesk will assist the customer (controller) to comply with their legal obligations under the law. Data subject rights depend on the jurisdictions where the customer is located. Nevertheless, typical data subject rights include:

• Right of access: to obtain confirmation as to whether or not personal information concerning the data subject is being processed and, where that is the case, access to that personal information.

• Right to rectification: to obtain rectification of inaccurate personal information concerning the data subject.

• Right to erasure or be forgotten: to erase personal information concerning the data subject.

• Right to restrict processing: to restrict the processing of personal information to the extent permitted by law and following Talkdesk’s contractual and legal commitments.

• Right to data portability: to receive the personal information provided concerning the data subject in a structured, commonly used, and machine-readable format.

• Right to object: to object to the processing of personal data for reasons related to your situation.

• Right, not to be subject to automated decision-making: not to be subject to a decision based solely on automated processing.

• Right to withdraw consent: to remove consent for specific processing.

• Right to complaint: to lodge a complaint with an EU supervisory authority or invoke binding arbitration for complaints regarding EU-US DPF, UK GDPR, and FADP compliance not resolved by any of the other DPF mechanisms; for additional information: “https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf?tabset-35584=2“.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Talkdesk commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF to an EU Data Protection Authority (DPAs), the UK Information Commissioner’s Office (ICO) or the Swiss Federal Data Protection and Information Commissioner (FDPIC), an alternative dispute resolution provider based in the European Union, United Kingdom, or Switzerland, respectively. If you do not receive a timely acknowledgement of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://edpb.europa.eu/about-edpb/about edpb/members en for EU Data_Protection Authorities, https://ico.org.uk/make-a-complaint/ for the UK Extension to the EU-U.S. DPF, or https://www.edoeb.admin.ch/edoeb/en/home/deredoeb/kontakt.html on the Swiss-U.S. DPF, for more information or to file a complaint. The services of these organizations are provided at no cost to you.

How can a data subject exercise its rights?

When Talkdesk processes information on behalf of a customer, the customer must directly address all data subject rights. Talkdesk will assist the customer as required by law.

To whom may personal information be transferred?

As a processor, Talkdesk only processes data to provide the agreed-upon service according to customer-specific instructions.

Talkdesk has implemented mechanisms to choose and engage with providers who will assist us in performing parts of the services that we cannot offer. Those vendors are selected based on their compliance and adoption of security, AI, and privacy standards/frameworks, which should be at least the same as the ones complied with by Talkdesk. Talkdesk performs regular due diligence on third parties for security and privacy compliance.

Upon request, a list of Talkdesk sub-processors can be provided. Such requests must be sent to [email protected].

Talkdesk may transfer data concerning a merger, acquisition, or any transfer or sale to potential buyers.

Talkdesk may disclose data to government entities where the disclosure of information is legally required under local laws or required to comply with legal requests.

Talkdesk does not sell the information collected using the Talkdesk service (as the term “sell” is defined under the CCPA).

Where is information stored?

As a US-headquartered multinational company, by default, Talkdesk processes and stores personal data in the United States; however, the customer has other processing facilities in different regions (such as Europe, Canada, Australia and the United Kingdom) to choose from and better suit their privacy needs.

When a transfer of information from the European Economic Area (EEA) and Switzerland to other countries happens, it’s made based on:

• Adequacy Decision: Countries designated by the European Commission as having adequate protection for personal information.

• Standard Contractual Clauses: Talkdesk relies on the European Commission’s model contracts (i.e., standard contractual clauses) to transfer personal information to third countries under Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

Transfers between other jurisdictions may require specific and additional provisions that the customer must define with Talkdesk.

In the context of an onward transfer, Talkdesk is responsible for processing personal data received under the EU-U.S. DPF and transfers to a third party acting as a processor on its behalf. Talkdesk remains liable under the principles of EU-U.S. DPF and the Swiss-U.S. DPF if its processor processes such personal information in a manner inconsistent with the principles unless the organization proves that it is not responsible for the event that caused the damages.

How is information protected?

Talkdesk adopts an Information Security and Privacy Information Management System (ISMS and PIMS) and a business continuity management system (BCMS) as a framework for continuous improvement of security, privacy, AI, and business continuity. The ISMS, PIMS, and BCMS include Policies, Awareness of Security and Privacy, adequate procedural and technical controls, audit logging, and third-party due diligence, among other things.

Additionally, Talkdesk has put in place technical documentation and transparency reports to ensure compliance with emerging AI laws and frameworks.

Personal Information from Children

Talkdesk never knowingly accesses personal information from children under 13. If we obtain actual knowledge that we have processed personal information from a child under 13, that information is immediately removed from any access. Because we do not collect such information, we have no information to use or disclose to third parties. This notice complies with the Children’s Online Privacy Protection Act (COPPA).

Jurisdictions

Talkdesk will continuously make adequate efforts to ensure compliance with relevant privacy, AI and data protection legislation and regulations across where it operates, which may also require specific contractual jurisdiction to be addressed. The continuous implementation, review, and improvement of the Privacy Information Management System (ISMS) should provide the means to accomplish the standard approach to Talkdesk

Global Privacy legislation and regulations requirements.

Talkdesk processes personal information in a jurisdiction that allows it to comply with the most common and well-known privacy laws and regulations.

Talkdesk shall transfer data from the European Economic Area (EEA), United Kingdom (U.K.), and Switzerland to an outside jurisdiction using safeguards to ensure an adequate level of data protection, as defined in the General Data Protection Regulation (GDPR).

For other jurisdictions and specific privacy laws and regulations, Talkdesk will make adequate efforts to comply with the specific local/regional requirements, where applicable, following the GDPR standard approach as the Global Legal Privacy reference.

Talkdesk complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the U.K. Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) set forth by the U.S. Department of Commerce. Talkdesk has been certified by the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) concerning the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in dependence on the U.K. Extension to the EU-U.S. DPF.

Talkdesk has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) about processing personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program and to view our certification, please visit https://www.dataprivacyframework.gov/.

Talkdesk is also subject to the investigation and enforcement of the Federal Trade Commission (FTC) or another statutory body that will effectively ensure compliance with the EU-US DPF principles; you can learn more about it at https://www.ftc.gov/. Talkdesk is committed to ensuring that the principles of the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the U.K. Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) are complied with, even after we leave the DPF program.