Date of Version Update: 2026/01/29
I. Definitions and Scope of Application
1.1 Definitions of Key Terms
Unless otherwise stated, the following terms in this Privacy Policy have the following meanings:
• We/Instadesk/Data Processor: ZKJ TECHNOLOGY PTE. LTD. (registered address: 4th Floor, Unit 04, TRIVEX Building, 8 Bernam Road, Singapore 369977), acting as the technology provider and data processor of the SaaS platform, processes the personal data of end users on behalf of the Customer (Data Controller).
• Customer/Data Controller: Refers to the corporate user that purchases and uses Instadesk SaaS services. The Customer determines the purposes and methods of processing its user data and bears primary legal liability for data processing activities.
• End User: Refers to the data owner provided by the Customer that purchases and uses Instadesk SaaS services, or the final user targeted by the Customer's use of Instadesk services.
• Personal Data: Refers to any information relating to an identified or identifiable natural person ("Data Subject"), including but not limited to name, email address, telephone number, IP address, device identifier, session records, call recordings, work order content, customer tags, and geolocation information.
• Special Categories of Data: Including but not limited to data relating to race, political opinions, religious beliefs, health status, and biometric data. Instadesk does not actively collect or process such data by default. If the Customer uploads or enters such information through the platform (e.g., health details in work order notes), Instadesk will only store and transmit the data in accordance with the Customer's instructions. We advise the Customer to avoid processing sensitive data unless necessary; if processing is mandatory, the Customer must ensure legal basis and implement additional protective measures.
• Processing: Refers to any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
II. Data Controller and Contact Information
2.1 Disclosure of Identity Information
As a technology service provider of the SaaS intelligent customer service platform, Instadesk typically acts as a Data Processor. Its Customers (enterprises using Instadesk services) act as Data Controllers of the personal data of end users, responsible for determining the purposes, methods, and legal basis of data processing.
Nevertheless, to ensure transparency, we hereby disclose the following statutory contact information:
• Company Full Name: ZKJ TECHNOLOGY PTE. LTD.
• Registered Address: 4th Floor, Unit 04, TRIVEX Building, 8 Bernam Road, Singapore 369977
• Customer Service and Data Protection Inquiry Email: support@Instadesk.com
2.2 Data Protection Officer (DPO)
We have officially appointed a Data Protection Officer (DPO) responsible for overseeing the organization's data protection policies and compliance practices, and serving as the primary contact for communication with regulatory authorities and Data Subjects.
• Direct Contact Information: DPO@instadesk.com
• Communication Languages: English, Chinese
You may contact the Data Protection Officer directly via the above email without going through the customer service channel. All communications related to data protection will be handled with strict confidentiality.
III. Data Collection and Sources
As a SaaS intelligent customer service platform, Instadesk processes the personal data of end users on behalf of the Customer (Data Controller) upon its authorization and instructions. We process data strictly within the scope necessary to provide, maintain, optimize, and secure the services, and fully comply with the Customer's configurations and instructions.
3.1 List of Data Types
3.1.1 Classification Based on Business Scenarios
(1) Essential Service Information Required Before Use:
• Name, telephone number, and email address of the authorized representative;
• Business license, legal representative identification document, handler identification document, and photo of the handler holding the ID card, which may need to be submitted for certain specific functions;
• Outbound call script templates and details of the source of customer lists.
(2) Information Required When Your Authorized Representative Registers as a User and Logs in to the Product for the First Time:
• Company name, company size, industry, as well as the authorized representative's telephone number, email address, secondary domain name, and custom login password.
(3) Questionnaires Filled Out When Participating in Online Activities May Include:
Name, telephone number, and other information.
3.1.2 Based on Instadesk Functional Scenarios (Including Online Customer Service, Cloud Call Center, Email, Work Orders, Customer Center, and Management Configuration), We May Process the Following Categories of Personal Data:
(1) Customer Account and Management Data
• Company name, tax identification number (if applicable);
• Name, position, email address, and telephone number of administrators and agents;
• Login credentials (stored in encrypted form) and role permission configurations;
• Skill group assignment and work scheduling information.
Note: Such data is provided by the Customer for system management and service configuration.
(2) End User Interaction Data
• Name, email address, telephone number, and social media accounts (e.g., WhatsApp, Facebook ID);
• IP address, device type, browser information, operating system;
• Session records (text chat, email, and call-to-text records);
• Video/voice call metadata (excluding the content itself unless the Customer enables the recording function);
• File attachments (e.g., images and documents uploaded by users);
• Customer tags and custom fields (defined and filled in by the Customer).
(3) Technical and Log Data
• Network access method, type, access timestamp, session duration, and page browsing path;
• Operation logs (e.g., system permission logs for granting the product access to the microphone or camera when using the voice/video call function);
• System permission operation logs for granting the product access to the calendar when using the calendar function;
• Service log information (e.g., website information viewed in the product and service fault information);
• API call records (e.g., Microsoft Azure ASR, Microsoft Azure TTS, MyVocal TTS);
• Data generated by Cookies and similar tracking technologies.
3.2 Explanation of Data Sources
The personal data we process mainly comes from the following channels:
|
Source Type |
Explanation |
|
Direct Collection |
- Customer administrators create agent accounts or import customer lists, customer profiles, and customer data in the background;<br>- End users may actively seek help and share information through embedded customer service channels on websites, email, WhatsApp, and other platforms. |
|
Automatic Collection |
- When users visit the Customer's website or use customer service functions, the system automatically records IP, device information, and session behaviors;<br>- Background operation logs (e.g., agent login, quick access usage, work order transfer). |
|
Third-Party Provision |
- Receiving user messages and data through APIs or official channels (e.g., Facebook Messenger, Instagram, Shopify, Amazon, TikTok Shop, WhatsApp, eBay, Shoplazza, Lazada);<br>- Necessary data transmitted when Amazon Web Services (AWS) provides infrastructure or communication services. |
We will not purchase or obtain personal data from unauthorized data brokers or other third parties.
All data processing activities are conducted within the scope of the services explicitly configured by the Customer. The Customer may view, export, or delete its data through the management console at any time.
IV. Processing Purposes and Legal Basis
As a Data Processor, Instadesk processes personal data only within the scope of the written instructions of the Customer (Data Controller) and the provisions of this Privacy Policy. All processing activities have a legal basis and adhere to the principles of "purpose limitation" and "data minimization".
The following table lists the main processing activities and corresponding purposes:
|
Processing Activity |
Explanation of Processing Purpose |
|
Account Creation and Management |
Create system accounts and assign permissions for customer administrators and agents to support multi-role collaboration |
|
Session Message Routing and Display |
Receive end user messages through websites, email, WhatsApp, Facebook, and other channels, and assign them to corresponding agents according to the skill groups and routing rules configured by the Customer |
|
Activation of Intelligent Assistance Functions |
Provide AI-enabled functions, including quick command suggestions, knowledge base retrieval, automatic form filling, script optimization, and sensitive word detection |
|
Call Recording and Transcription (if enabled) |
Record incoming/outgoing voice calls and generate text for service quality monitoring, training, or dispute evidence collection |
|
Logging and System Monitoring |
Record system operation logs, API calls, and error information to ensure service stability, support security audits, and troubleshoot faults |
|
Customer Support and Technical Services |
Respond to customer service inquiries, technical support requests, and work order submissions, and provide remote diagnosis or configuration assistance |
|
Product Improvement and Analysis |
Optimize the user interface/user experience (UI/UX) and develop new functions based on anonymized aggregated usage data (e.g., function usage frequency, channel distribution) |
|
Compliance and Fulfillment of Legal Obligations |
Respond to court orders, regulatory investigations, or tax audits requirements |
4.1 Explanation of "Legitimate Interests"
For processing activities based on "legitimate interests" (e.g., security logs, anonymized analysis), we have conducted a Legitimate Interest Assessment (LIA) and ed that:
• There is a genuine and current legitimate interest (e.g., fraud prevention, system security assurance);
• The impact on the rights and freedoms of Data Subjects is minimal;
• Appropriate measures (e.g., pseudonymization, access control) have been taken to reduce risks;
4.2 Special Circumstances for User Consent
The following scenarios require the Data Controller to obtain explicit prior consent from the end user:
• Enabling call recording or video recording functions;
• Using Cookies for non-essential tracking (e.g., marketing analysis);
• Automated decision-making or creation of user profiles (e.g., tagging chat content for targeted marketing).
Instadesk will not replace the Customer in fulfilling its disclosure obligations and fiduciary responsibilities as a Data Controller.
V. Mechanism for Realizing Data Subjects' Rights
Instadesk respects and supports end users (Data Subjects) in exercising the prescribed rights. As a Data Processor, we assist the Customer (Data Controller) in fulfilling its response obligations and provide necessary technical interfaces and process support.
5.1 List of Rights and Methods of Exercise
End users may submit the following requests to the Customer they are in contact with (the enterprise using Instadesk services). The Customer may efficiently process these requests through Instadesk's background tools.
|
Right Type |
Explanation |
Instadesk Support Method |
|
Right of Access |
Obtain a copy of personal data and details of processing (purpose, category, recipient, etc.) |
The Customer can export all sessions and call records of a specified user through the "Report Center" and all work order records of a specified user through "Work Orders" |
|
Right to Rectification |
Correct inaccurate or incomplete personal data |
The Customer can edit fields in "Customer Management" or update data through APIs |
|
Right to Erasure |
Request deletion of their data when there is no legitimate reason |
The Customer can manually delete sessions, work orders, and customer profiles, and the system supports batch deletion |
Important Note: Instadesk does not directly accept requests from end users regarding their rights. All requests must first be submitted to the enterprise cooperating with us (our Customer). The Customer is responsible for verifying the identity of the requester and deciding whether to execute the request.
5.2 Response Service Level Agreement (SLA) and Process Guarantee
To help Customers achieve efficient compliance, we commit to:
• Internal Response Timeframe: Complete technical operations (e.g., data extraction, deletion, export) within 15 working days of receiving a formal Data Subject rights request from the Customer;
• Identity Verification Support: Provide multi-dimensional customer identification information (telephone number, email address, session ID) to help the Customer verify the identity of the requester and prevent impersonation risks;
• Principle of Free Service: No additional fees will be charged for reasonable requests;
• Handling of Complex Requests: When a request involves multiple system modules (e.g., call recordings, emails, work orders), coordinate all subsystems for unified processing;
• Explanation of Backed-Up Data: Deleted production data will be cleared from the backup system within 30 days. During this period, the backed-up data will only be used for disaster recovery and shall not be used for business queries or analysis.
In addition, Instadesk provides the following background functions:
• Data Export Tool: Supports filtering and exporting by customer, time range, and channel;
• Audit Logs: Records all sensitive operations (e.g., data export, deletion) to ensure traceability.
We encourage Customers to clearly specify the channel for exercising rights in their end user privacy policies and disclose Instadesk as their technical support provider.
VI. Cross-Border Data Transfer
Instadesk is committed to ensuring the compliance of all personal data processing activities, especially those involving cross-border transfers. We adopt multi-level safeguards to ensure comprehensive protection of personal data even in cross-border scenarios.
6.1 Data Residency and Storage Location
• The data generated by the Customer's use of our products is stored based on the deployment location of the product purchased by the Customer. For example, if you use our products deployed in Singapore, the data generated by your use of the services will be stored on cloud servers in Singapore. You should investigate the relevant requirements of the country where the Data Subjects of the data you provide are located regarding data localization before using our services. If the country where the Data Subjects are located has data localization requirements and the data you provide or generate is not stored locally, you may face corresponding penalties for violating such provisions. Therefore, please understand the relevant national laws and regulations in advance and be aware of the location where we store data before transmitting the data of the relevant Data Subjects to avoid legal risks and economic losses due to non-compliance.
6.2 Legal Mechanisms for Cross-Border Transfers
Generally, we process your personal data in the country or region where the product is deployed. However, in the process of providing services, your data may be transferred to countries or regions outside the deployment location. Such transfers may occur in the following circumstances: the Customer is located in a third country and accesses the server, the product's cooperative suppliers are located in third countries, the product's operation and maintenance personnel are located in third countries, etc.
When transferring your personal data to countries or regions outside the deployment location, we will take appropriate safeguards to protect your data. Such transfers may be conducted in countries or regions that have an equivalent level of data protection as the data storage country; for countries or regions with a lower level of data protection than the data storage country, we will sign Standard Contractual Clauses (SCCs) or adopt other legally recognized transfer mechanisms.
VII. Sub-Processor Management
As a Data Processor, Instadesk may entrust third parties ("Sub-Processors") to perform specific technical or infrastructure services when providing SaaS services. We ensure that all sub-processing activities are conducted within the scope authorized by the Customer and maintain a level of data protection not lower than that specified in the main contract.
List of Sub-Processors
The following is the current list of Instadesk's Sub-Processors, including their names, countries/regions, processing purposes, and related data types. This list will be updated and published regularly.
|
Sub-Processor Name |
Country/Region |
Processing Purpose |
Related Data Types |
|
Amazon Web Services (AWS) |
Singapore |
Cloud infrastructure, data storage, and computing resources |
All customer and end user data (stored in encrypted form) |
|
Microsoft Azure |
Southeast Asia |
Text-to-speech; speech-to-text; text generation; text translation |
Audio files; text data |
|
Eleven Labs |
United States |
Text-to-speech; voice cloning |
Audio files; text data |
|
Tencent |
Singapore, Europe |
Speech-to-text |
Audio files |
|
|
Singapore |
Text translation |
Text data |
|
Zhongkejin |
Singapore |
Text-to-speech; speech-to-text |
Audio files; text data |
|
MyVocal |
Thailand, Ireland |
Text-to-speech; voice cloning |
Audio files; text data |
|
BytePlus |
Singapore |
Text-to-speech |
Text data |
|
Minimax |
China |
Text-to-speech; voice cloning |
Audio files; text data |
VIII. Data Security and Technical Measures
Instadesk strictly complies with the provisions on "processing security" and implements technical and organizational measures commensurate with the risks of processing activities to ensure the confidentiality, integrity, availability, and resilience of personal data. We adopt a defense-in-depth strategy covering all dimensions such as physical, network, application, and personnel.
8.1 Security Technical Measures
(1) Encryption Protection
• End-to-End Encryption: All data is encrypted using TLS 1.3 or higher, with HTTP Strict Transport Security (HSTS) enabled by default;
• End-to-End Encryption (E2EE): For high-sensitivity scenarios (e.g., medical, financial consulting), session-level end-to-end encryption can be enabled for the Customer (requires separate configuration).
(2) Access Control
• Role-Based Access Control (RBAC): Separation of permissions for agents, team supervisors, and administrators, adhering to the principle of least privilege;
• Multi-Factor Authentication (MFA): All administrators and technical support personnel must enable multi-factor authentication, including Time-Based One-Time Password (TOTP) and Fast Identity Online (FIDO2) security keys;
• Session Timeout and Automatic Logout: Supports automatic logout upon session timeout;
• IP Whitelisting: The Customer can restrict the source of IP addresses for background login.
(3) Anonymization and Pseudonymization
• Log and analysis systems adopt privacy data desensitization by default to avoid direct association with real identities;
• Report export supports field desensitization (e.g., telephone numbers displayed as 138****1234);
• Synthetic data or fully anonymized datasets are used in the test environment.
(4) Threat Protection
• Web Application Firewall (WAF): Provided by Amazon Web Services (AWS) to defend against OWASP Top 10 attacks;
• Intrusion Detection and Prevention System (IDS/IPS): Real-time monitoring of high-risk activities such as unauthorized login and bulk data export;
• Vulnerability Management: Conduct automated scanning, fix high-risk vulnerabilities, and perform penetration testing in accordance with Amazon Web Services (AWS) requirements.
(5) Auditing and Monitoring
• All sensitive operations (login, data export, deletion, permission changes) are recorded in tamper-proof logs;
• Logs are retained for 180 days, supporting retrieval by user, time, or operation type;
• Abnormal behaviors trigger real-time s and notify the security team.
8.2 Organizational Management Measures
(1) Personnel Management
• All employees and contractors must sign a Non-Disclosure Agreement (NDA) specifying data protection obligations;
• Conduct regular data compliance training for employees and assess their mastery of the training content.
(2) Business Continuity and Disaster Recovery
• Daily incremental backups + weekly full backups, retained for 30 days;
• Conduct disaster recovery drills annually to verify the effectiveness of backups.
(3) Privacy by Design and Privacy by Default
• New function development follows the Data Protection Impact Assessment (DPIA) process;
• Non-essential data (e.g., location, device fingerprint) is not collected by default;
We continuously invest resources to improve security and compliance standards and commit to bearing full legal liability for data breaches caused by insufficient security measures.
IX. Data Breach Notification Mechanism
Instadesk has established an emergency response mechanism for personal data breaches to ensure rapid identification, containment, assessment of security incidents, and fulfillment of notification obligations in accordance with the law.
9.1 Notification Obligation from Processor to Controller
As a Data Processor, Instadesk commits to:
• Upon ing a personal data breach, notify the Customer's designated security contact (usually an administrator or Data Protection Officer) in writing (via email and console ) within 24 hours;
• Trigger notification as long as there is a risk that the rights and freedoms of Data Subjects may be infringed, without waiting for the completion of the risk assessment;
• The notification content includes:
○ Description of the nature of the breach (e.g., unauthorized access, data theft, system configuration error);
○ Categories and approximate quantity of affected data (e.g., "session records of approximately 500 users");
○ Types of Data Subjects that may be affected (e.g., end users, agents);
○ Approximate time of the breach;
○ Remedial measures already taken or to be taken (e.g., account freezing, key reset, vulnerability fix);
○ Name and contact information of the Data Protection Officer (DPO) or designated contact;
○ Mitigation measures recommended to the Customer (e.g., notifying users to change passwords).
9.2 Notification from Controller to Regulatory Authorities and Data Subjects
As the Data Controller, the Customer is responsible for making the final decision on whether to report to regulatory authorities or Data Subjects. Instadesk will fully cooperate:
• Reporting to Regulatory Authorities: If the Customer determines that the data breach "is likely to result in a risk to the rights and freedoms of natural persons", it must submit a formal report to the data protection regulatory authority of the country where its main place of business is located within 72 hours of becoming aware of the breach. We can provide technical details to assist in meeting the reporting requirements;
• Notifying Data Subjects: The Customer must directly notify affected users without undue delay only if the breach is likely to result in high risks (e.g., identity theft, financial loss).
9.3 Internal Response Process
Our data breach response process includes the following phases:
1. Detection and Confirmation: Identify potential incidents through Security Information and Event Management (SIEM) systems, abnormal monitoring, or third-party reports;
2. Containment and Isolation: Immediately isolate the affected system, revoke credentials, and block the attack path;
3. Investigation and Assessment: The security team collaborates with the Data Protection Officer (DPO) to conduct root cause analysis and impact assessment;
4. Notification and Collaboration: Notify the Customer within the specified time limit and continuously update the progress;
5. Recovery and Improvement: Fix vulnerabilities, restore services, and update security policies to prevent recurrence;
6. Documentation and Archiving: Fully record the incident handling process for regulatory review.
X. Data Retention Period
Instadesk strictly adheres to the principle of "storage limitation" and retains personal data only for the necessary period required to achieve the processing purposes.
10.1 Default Retention Policy
Unless otherwise configured by the Customer or required by law, the default retention periods for the following data types are as follows:
|
Data Type |
Deletion Trigger Conditions |
|
Customer Account Information |
Customer actively deletes, requests deletion, cancels the account, or the service contract expires without renewal |
|
End User Session Records (online chat, email, social media messages) |
Customer actively deletes, requests deletion, cancels the account, or the service contract expires without renewal |
|
Call Recordings and Transcribed Text |
Customer actively deletes, requests deletion, cancels the account, or the service contract expires without renewal |
|
Work Order Records and Attachments |
Customer actively deletes, requests deletion, cancels the account, or the service contract expires without renewal |
|
System Operation Logs (login, export, deletion, etc.) |
Customer actively deletes, requests deletion, cancels the account, or the service contract expires without renewal |
|
Backed-Up Data |
Customer actively deletes, requests deletion, cancels the account, or the service contract expires without renewal |
10.2 Deletion Execution Mechanism
We ensure that data is deleted on time and completely through the following methods:
• Automatic Deletion: The system automatically performs physical deletion according to instructions;
• Manual Deletion by Customer:
○ Supports deleting customer profiles individually or in batches;
XI. Cookies and Tracking Technologies
Instadesk uses Cookies and other automated data collection technologies on its official website (e.g., www.Instadesk.com) and the "embedded customer service components" provided to Customers (e.g., website chat windows, help centers).
11.1 Purposes and Classification of Cookie Usage
11.1.1 Purposes of Cookie Usage
To ensure the normal operation of the website, provide you with a more convenient browsing experience, and recommend content that may be of interest to you, we will store small data files called Cookies on your computer or mobile device. Cookies usually contain an identifier, the name of the website, and some numbers and characters.
11.1.2 Functions of Cookies
With the help of Cookies, we can store your preferences and other data so that the required information can be directly displayed when you visit next time; or identify your source website through Cookies to track advertising effectiveness.
11.1.3 Cookie Management
You can manage Cookies according to your own preferences or clear all Cookies stored on your computer. However, this will result in you needing to reset user configurations every time you visit our website. For detailed information on how to change browser settings, you can check the settings page of the browser you are using.
11.1.4 Other Similar Technologies
In addition to Cookies, we also use other similar technologies such as web beacons and pixel tags on the website. For example, emails sent to you may contain links to website content. If you click on the link, we will track this click behavior to help us understand your preferences for products or services, thereby proactively optimizing the customer service experience.
XII. Protection of Children's Data
Instadesk fully recognizes the special sensitivity of children's (minors') personal data and strictly complies with relevant regulations. Our platform is not designed or promoted for children.
Customer Responsibility Reminder
We strongly advise Customers to:
• Clearly state in their end user privacy policies that minors are not accepted for consultation;
• If the business scenario requires processing children's data (e.g., Customers in the education, medical industry), they should:
○ Implement an effective age verification mechanism;
○ Obtain verifiable consent from guardians (e.g., through two-factor authentication, written authorization);
○ Avoid storing children's sensitive information (e.g., health records, home addresses) in Instadesk.
Instadesk shall not be liable for the Customer's violations of children's data protection obligations, but will fully cooperate with regulatory investigations and data cleaning work.
XIII. Privacy Policy Update Mechanism
Instadesk is committed to continuously improving data protection practices and will update this Privacy Policy as required by changes in laws and regulations, technological development, or business adjustments. We ensure that all changes are transparent and traceable, and fully disclose them to users while safeguarding their right to choose.
13.1 Methods of Notification of Changes
For material changes (e.g., expanding processing purposes, adjusting cross-border transfer mechanisms, adding new categories of sensitive data), we will take the following notification measures in advance:
• Customer Notification:
○ Pin a notification at the top of the Instadesk management console;
• End User Notification (Customer's Responsibility):
○ We recommend that the Customer synchronously update the end user privacy statement on its website or customer service interface;
○ Instadesk provides a template for a summary of policy changes to help the Customer fulfill its notification obligation.
13.2 User Acceptance and Opt-Out Mechanism
• Continued Use Constitutes Acceptance: After the changes take effect, if the Customer continues to use Instadesk services, it shall be deemed as acceptance of the updated terms;
• Right to Object and Opt-Out: If the Customer disagrees with the material changes, it may take the following measures before the effective date:
○ Export all data (supports XLSX format);
○ Apply to close the account;
○ Contact the account manager to negotiate alternative solutions;
• We commit not to unilaterally delete the Customer's data due to its refusal to accept the new policy, unless the service has been terminated and the retention period has expired.
Through the above mechanisms, we ensure that the Privacy Policy always reflects the actual processing activities and safeguard users' continuous control over their personal data.
XIV. Dispute Resolution and Jurisdiction
To clarify the applicable law and dispute resolution process, Instadesk establishes a dispute resolution mechanism in this chapter to ensure that users' rights are not infringed, especially their right to complain to regulatory authorities.
14.1 Applicable Law and Jurisdiction
The applicable law and jurisdiction of these terms shall be subject to the provisions of the contract signed with the Customer.
14.2 Dispute Resolution Support
• If the Customer or Data Subject has questions about data processing, it is recommended to first contact through the following channels:
○ Contact the Customer's Data Protection Officer (DPO) or customer service team (for end users);
○ Customer administrators contact the Instadesk support team: support@Instadesk.com;
○ Directly contact the Instadesk Data Protection Officer (DPO): DPO@instadesk.com;
• We commit to providing an initial response within 15 working days of receiving a written dispute request and strive to resolve the issue through negotiation.
XV. Supplementary Notice for Processing Data of EEA (i.e., EU Member States, Iceland, Liechtenstein, and Norway), Switzerland, and the United Kingdom
The following terms supplement additional notices for our processing of personal data of EEA (i.e., EU Member States, Iceland, Liechtenstein, and Norway), Switzerland, and the United Kingdom.
15.1 If You Are a Customer in the EEA or the Data You Upload Is of Users in the EEA, You May Also Exercise the Following Rights Regarding Personal Data:
|
Right Type |
Explanation |
Instadesk Support Method |
|
Right to Restriction of Processing |
Request suspension of data processing (e.g., during dispute resolution) |
The Customer can mark the user as "restricted", and the system will stop non-essential processing such as automatic assignment and notification push |
|
Right to Data Portability |
Obtain the data provided to the platform in a structured, commonly used, and machine-readable format |
Supports exporting session records (XLSX format), customer data (XLSX format), and work order details |
|
Right to Object |
Refuse processing based on legitimate interests or public tasks, especially processing for direct marketing or profiling |
/ |
|
Right to Withdraw Consent |
Withdraw consent at any time (without affecting the validity of previous processing) |
If the Customer uses consent as the legal basis, it must record and respond to withdrawal requests on its own. Instadesk provides log audit support |
|
Right to Lodge a Complaint |
Lodge a complaint with the data protection regulatory authority of the country of residence |
Users can directly contact their national regulatory authority |
|
Right to Be Free from Automated Decision-Making |
The types of automated decision-making mentioned in Article 22(1) and (4) of the EU/UK General Data Protection Regulation ("GDPR") do not apply to your personal data. If there is any change, we will inform you of the reasons and methods of any such decision, its significance, and possible consequences. You will also have the right to human intervention, to express your views, and to object to the decision. |
/ |
15.2 Data Residency and Cross-Border Transfers
If you use our products deployed in the European region, your data will be stored in the AWS Europe (Frankfurt) region by default. Generally, we process your personal data in the country or region where we operate or provide Instadesk services. However, in the process of providing services, your data may be transferred to countries or regions outside the EU/EEA. For example, the Sub-Processors mentioned in the aforementioned notice are located in third countries, and accessing and processing your data may involve cross-border transfers. These countries or these Sub-Processors may not provide an adequate level of data protection as required by EEA data protection laws. However, Instadesk is committed to ensuring that all personal data processing activities, especially those involving cross-border transfers, strictly comply with the provisions of Chapter V of the GDPR on "Transfers to Third Countries or International Organizations". We adopt multi-level safeguards to ensure that the personal data of EU/EEA users enjoys adequate protection even in cross-border scenarios.
XVI. Supplementary Notice for Processing California Consumers' Data
The provisions of this Privacy Policy regarding Sub-Processors refer to the types of data we may disclose to third parties. Pursuant to the California Consumer Privacy Act ("CCPA"), although we have not "sold" or "shared" personal data in exchange for money in the past 12 months, the data sharing behaviors between us and Sub-Processors to provide you with better services may be deemed as "sale" or "sharing" as defined by California law. We will not intentionally sell or share the personal data of minors under the age of 16. We will not collect or process "sensitive personal information" as defined by California law. If you believe that we have "sold" or "shared" your data, you have the right to opt out of such "sale" or "sharing" of personal data. However, this may result in your inability to use relevant functions or even the entire service.
XVII. Supplementary Information for Other Countries and Regions
Japan: All personal data collected, stored, used, and/or processed by Instadesk as described in this notice is collected, stored, used, and processed in accordance with the provisions of Japan's Act on the Protection of Personal Information (APPI).
Malaysia: All personal data collected, stored, used, and/or processed by Instadesk as described in this notice is collected, stored, used, and processed in accordance with the provisions of the Personal Data Protection Act 2010 (PDPA).
Mexico: All personal data collected, stored, used, and/or processed by Instadesk as described in this notice is collected, stored, used, and processed in accordance with the provisions of the Federal Law on the Protection of Personal Data Held by Private Parties (LFPDPPP) enacted in 2010.