Mundo Pato Inc. Privacy Policy

            

Updated: July 1, 2019

This Privacy Policy describes how Mundo Pato collects, uses and discloses information, and what choices you have with respect to the information.

When we refer to “Mundo Pato”, we mean the Mundo Pato Inc. entity that acts as the controller or processor of your information.

 

Applicability of This Privacy Policy

This Privacy Policy applies to Mundo Pato’s UnitusTI: online electronic data records, cloud publishing, programs, curricula, materials, dashboards, assessments and management tools and platform services, (collectively, the “Services”), mundopato.com and other Mundo Pato  websites (collectively, the “Websites”) and other interactions (e.g., Client service inquiries, user conferences, etc.) you may have with Mundo Pato. If you do not agree with the terms, do not access or use the Services, Websites or any other aspect of Mundo Pato’s business.

This Privacy Policy does not apply to any third-party applications or software that integrate with the Services through the Mundo Pato platform (“Third Party Services”), or any other third party products, services or businesses. In addition, a separate agreement governs delivery, access and use of the Services (the “Subscription Agreement” or “Cloud Services Agreement”), including the processing of any messages, files or other content submitted through Services accounts (collectively, “Client Data”). The organization (e.g., your employer or another entity or person) that entered into the Subscription Agreement or Cloud Services Agreement (“Client”) controls their instance of the Services and any associated Client Data. If you have any questions about specific services settings and privacy practices, please contact the Client.

Information We Collect and Receive

Mundo Pato may collect and receive Client Data and other information and data (“Other Information”) in a variety of ways:

  • Client Data. Clients or individuals granted access to a Service by a Client (“Authorized Users”) routinely submit Client Data to Mundo Pato databases when using the Services.

  • Other Information. Mundo Pato also collects, generates and/or receives Other Information:

    1. Service and Account Information. To create or update a Service account, you or your Client (e.g., your employer) supply Mundo Pato with an email address, phone number, password, domain and/or similar account details. In addition, Clients that purchase a paid version of the Services provide Mundo Pato (or its payment processors) with billing details such as credit card information, banking information and/or a billing address.

    2. Usage Information.

      • Services Metadata. When an Authorized User interacts with the Services, metadata is generated that provides additional context about the way Authorized Users are performing tasks. For example, Mundo Pato logs the Services used, programs executed, session notes, etc., channels, people, features, content and links you interact with, the types of files shared and what Third Party Services are used (if any).

      • Log data. As with most websites and technology services delivered over the Internet, our servers automatically collect information when you access or use our Websites or Services and record it in log files. This log data may include the Internet Protocol (IP) address, the address of the web page visited before using the Website or Services, browser type and settings, the date and time the Services were used, information about browser configuration and plugins, language preferences and cookie data.

      • Device information. Mundo Pato collects information about devices accessing the Services, including type of device, what operating system is used and application IDs. Whether we collect some or all of this Other Information often depends on the type of device used and its settings.

      • Location information. We receive information from you, your Client and other third-parties that helps us approximate your location. We may, for example, use a business address submitted by your employer, or an IP address received from your browser or device to determine approximate location.

    3. Cookie Information. Mundo Pato uses cookies in our Websites and Services that help us collect Other Information. The Websites and Services may also include cookies and similar tracking technologies of third parties, which may collect Other Information about application usage and statistics.

Mundo Pato uses cookies. We use both session-based and persistent cookies. Mundo Pato sets and accesses our own cookies on the domains operated by Mundo Pato Inc. In addition, we may use third party cookies, like Google Analytics.

 

    1. Third Party Services. Client can choose to permit or restrict Third Party Services for their Service. Typically, Third Party Services are software that integrate with our Services, and Client can permit its Authorized Users to enable and disable these integrations for their Service. Once enabled, the provider of a Third-Party Service may share certain information with Mundo Pato. For example, if a cloud storage application is enabled to permit files to be imported to a Service, we may receive username and email address of Authorized Users, along with additional information that the application has elected to make available to Mundo Pato to facilitate the integration. When a Third Party Service is enabled, Mundo Pato is authorized to connect and access Other Information made available to Mundo Pato in accordance with our agreement with the Third Party Provider. We do not, however, receive or store passwords for any of these Third-Party Services when connecting them to the Services.

    2. Third Party Data. Mundo Pato may receive data about organizations, industries, Website visitors, marketing campaigns and other matters related to our business from parent corporation(s), affiliates and subsidiaries, our partners or others that we use to make our own information better or more useful. This data may be combined with Other Information we collect and might include aggregate level data, such as which IP addresses correspond to zip codes or countries. Or it might be more specific: for example, how well an online marketing or email campaign performed.

    3. Additional Information Provided to Mundo Pato. We receive Other Information when submitted to our Websites or if you participate in a focus group, contest, activity or event, apply for a job, request support, interact with our social media accounts or otherwise communicate with Mundo Pato Inc.

Generally, no one is under a statutory or contractual obligation to provide any Client Data or Other Information (collectively, “Information”). However, certain Information is collected automatically and, if some Information, such as Service setup details, is not provided, we may be unable to provide the Services.

How We Use Information

Client Data will be used by Mundo Pato in accordance with Client’s instructions, including any applicable terms in the Client Agreement and Client’s use of Services functionality, and as required by applicable law. Mundo Pato is a processor of Client Data and Client is the controller. Client may, for example, use the Services to grant and remove access to a Service, assign roles and configure settings, access, modify, export, share and remove Client Data and otherwise apply its policies to the Services.

Mundo Pato uses Other Information in furtherance of our legitimate interests in operating our Services, Websites and business. More specifically, Mundo Pato uses Other Information:

  • To provide, update, maintain and protect our Services, Websites and business. This includes use of Other Information to support delivery of the Services under a Client Agreement, prevent or address service errors, security or technical issues, analyze and monitor usage, trends and other activities or at an Authorized User’s request.

  • As required by applicable law, legal process or regulation.

  • To communicate with you by responding to your requests, comments and questions. If you contact us, we may use your Other Information to respond.

  • To develop and provide search, learning and productivity tools and additional features. Mundo Pato tries to make the Services as useful as possible for specific Services and Authorized Users. For example, we may improve search functionality by using Other Information to help determine and rank the relevance of content, channels or expertise to an Authorized User, make Services suggestions based on historical use and predictive models, identify organizational trends and insights, to customize a Services experience or create new productivity features and products.

  • To send emails and other communications. We may send you service, technical and other administrative emails, messages and other types of communications. We may also contact you to inform you about changes in our Services, our Services offerings, and important Services-related notices, such as emails about new product features, security and fraud notices. These communications are considered part of the Services and you may not opt out of them. In addition, we sometimes send emails about promotional communications or other news about Mundo Pato. These are marketing messages so you may control whether you receive them.

  • For billing, account management and other administrative matters. Mundo Pato may need to contact you for invoicing, account management and similar reasons and we use account data to administer accounts and keep track of billing and payments.

  • To investigate and help prevent security issues and abuse.

If Information is aggregated or de-identified so it is no longer reasonably associated with an identified or identifiable natural person, Mundo Pato may use it for any business purpose. To the extent Information is associated with an identified or identifiable natural person and is protected as personal data under applicable data protection law, it is referred to in this Privacy Policy as “Personal Data.”

Data Retention

Mundo Pato will retain Client Data in accordance with a Client’s instructions, including any applicable terms in the Client Agreement and Client’s use of Services functionality, and as required by applicable law. Client may view, archive, deactivate and archive data at will. The deletion of Client Data and other use of the Services by Client may result in the deletion and/or de-identification of certain associated Other Information. Mundo Pato may retain Other Information pertaining to you for as long as necessary for the purposes described in this Privacy Policy. This may include keeping your Other Information after you have deactivated your account for the period of time needed for Mundo Pato to pursue legitimate business interests, conduct audits, comply with (and demonstrate compliance with) legal obligations, resolve disputes and enforce our agreements.

How We Share and Disclose Information

This section describes how Mundo Pato may share and disclose Information. Clients determine their own policies and practices for the sharing and disclosure of Information, and Mundo Pato does not control how they or any other third parties choose to share or disclose Information.

  • Client’s Instructions. Mundo Pato will solely share and disclose Client Data in accordance with a Client’s instructions, including any applicable terms in the Client Agreement and Client’s use of Services functionality, and in compliance with applicable law and legal process.

  • Displaying the Services. When an Authorized User submits Other Information, it may be displayed to other Authorized Users in the same or connected Services. For example, an Authorized User’s email address may be displayed with their Service profile. Collaborating with Others. The Services provide different ways for Authorized Users working in independent Services to collaborate, such as shared programs and users. Other Information, such as an Authorized User’s profile Information, may be shared, subject to the policies and practices of the other Service(s).

  • Client Access. Owners, administrators, Authorized Users and other Client representatives and personnel may be able to access, modify or restrict access to Other Information. This may include, for example, your employer using Service features to export logs of Service activity, or accessing or modifying your profile details.

  • Third Party Service Providers and Partners. We may engage third party companies or individuals as service providers or business partners to process Other Information and support our business. These third parties may, for example, provide virtual computing and storage services.

  • We may need to share or provide information (including personal information) to them to help them perform these business functions, for example sending emails on our behalf, database management services, database hosting, fulfilling product orders, providing customer support software, and security. These partners and service providers have limited access to your personal information to perform these tasks on your behalf, and are contractually bound to protect and use it only for the purpose for which it was disclosed and must adhere to confidentiality and security obligations in a way that is consistent with this Privacy Policy.

  • Third Party Services. Client may enable or permit Authorized Users to enable Third Party Services. When enabled, Mundo Pato may share Other Information with Third Party Services. Third Party Services are not owned or controlled by Mundo Pato and third parties that have been granted access to Other Information may have their own policies and practices for its collection and use. Please check the privacy settings and notices in these Third-Party Services or contact the provider for any questions.

  • During a Change to Mundo Pato ’s Business. If Mundo Pato engages in a merger, acquisition, bankruptcy, dissolution, reorganization, sale of some or all of Mundo Pato’s assets or stock, financing, public offering of securities, acquisition of all or a portion of our business, a similar transaction or proceeding, or steps in contemplation of such activities (e.g. due diligence), some or all Other Information may be shared or transferred, subject to standard confidentiality arrangements. Consistent with applicable state and federal laws, in connection with such a change to our organization, if any, this Privacy Policy will continue to apply to your information, and any acquirer would only be able to handle your personal information as per this Privacy Policy (unless you give consent to a new policy). We will provide you with notice of an acquisition within thirty (30) days following the completion of such a transaction, by posting on our homepage and by email to your email address that you provided to us. If you do not consent to the use of your personal information by such a successor company, subject to applicable law, you may request its deletion from the company.

  • Aggregated or De-identified Data. We may disclose or use aggregated or de-identified Other Information for any purpose. For example, we may share aggregated or de-identified Other Information with prospects or partners for business or research purposes, such as telling a prospective Mundo Pato Client the average amount of time spent within a typical Service.

  • To Comply with Laws. If we receive a request for information, we may disclose Other Information if we reasonably believe disclosure is in accordance with or required by any applicable law, regulation or legal process.

  • To enforce our rights, prevent fraud, and for safety. To protect and defend the rights, property or safety of Mundo Pato or third parties, including enforcing contracts or policies, or in connection with investigating and preventing fraud or security issues.

  • With Consent. Mundo Pato may share Other Information with third parties when we have consent to do so.


 

 

Security

Mundo Pato takes security of data very seriously. Mundo Pato works hard to protect Other Information you provide from loss, misuse, and unauthorized access or disclosure. These steps take into account the sensitivity of the Other Information we collect, process and store, and the current state of technology. Given the nature of communications and information processing technology, Mundo Pato cannot guarantee that Information, during transmission through the Internet or while stored on our systems or otherwise in our care, will be absolutely safe from intrusion by others.

Age Limitations

To the extent prohibited by applicable law, Mundo Pato does not allow use of our Services and Websites by anyone younger than 16 years old. If you learn that anyone younger than 16 has unlawfully provided us with personal data, please contact us and we will take steps to delete such information.

Changes to This Privacy Policy

Mundo Pato may change this Privacy Policy from time to time. Laws, regulations and industry standards evolve, which may make those changes necessary, or we may make changes to our business. We will post the changes to this page and encourage you to review our Privacy Policy to stay informed. If we make changes that materially alter your privacy rights, Mundo Pato will provide additional notice, such as via email or through the Services. If you disagree with the changes to this Privacy Policy, you should deactivate your Services account. Contact the Client if you wish to request the removal of Personal Data under their control.

Data Compliance Officer

To communicate with our Compliance Officer, please email compliance@mundopato.com.

Identifying the Data Controller and Processor

Data protection law in certain jurisdictions differentiates between the “controller” and “processor” of information. In general, Client is the controller of Client Data. In general, Mundo Pato is the processor of Client Data and the controller of Other Information.

Your Rights

Individuals located in certain countries, including the European Economic Area, have certain statutory rights in relation to their personal data. Subject to any exemptions provided by law, you may have the right to request access to Information, as well as to seek to update, delete or correct this Information. You can usually do this using the settings and tools provided in your Services account. If you cannot use the settings and tools, contact Client for additional access and assistance: compliance@mundopato.com

To the extent that Mundo Pato ’s processing of your Personal Data is subject to the General Data Protection Regulation, GDPR, Mundo Pato relies on its legitimate interests, described above, to process your data.

Data Request Policy

Mundo Pato receives requests from users and government agencies to disclose data other than in the ordinary operation and provision of the Services. This Data Request Policy outlines Mundo Pato’s policies and procedures for responding to such requests for Client Data. Any capitalized terms used in this Data Request Policy that are not defined will have the meaning set forth in the Client Terms of Service. In the event of any inconsistency between the provisions of this Data Request Policy and the Client Terms of Service or written agreement with Client, as the case may be, the Client Terms of Service or written agreement will control.

Requests for Client Data by Individuals

Third parties seeking access to Client Data should contact the Client regarding such requests. The Client controls the Client Data and generally gets to decide what to do with all Client Data.

Requests for Client Data by Legal Authority

Except as expressly permitted by the Contract or in cases of emergency to avoid death or physical harm to individuals, Mundo Pato will only disclose Client Data in response to valid and binding compulsory legal process. Mundo Pato requires a search warrant issued by a court of competent jurisdiction (a federal court or a court of general criminal jurisdiction of a State authorized by the law of that State to issue search warrants) to disclose Client Data.

All requests by courts, government agencies, or parties involved in litigation for Client Data disclosures should be sent to compliance@mundopato.com and include the following information: (a) the requesting party, (b) the relevant criminal or civil matter, and (c) a description of the specific Client Data being requested, including the relevant Client’s name and relevant Authorized User’s name (if applicable) and type of data sought.

Requests should be prepared and served in accordance with applicable law. All requests should be narrow and focused on the specific Client Data sought. All requests will be construed narrowly by Mundo Pato, so please do not submit unnecessarily broad requests. If legally permitted, Client will be responsible for any costs arising from Mundo Pato’s response to such requests.

Mundo Pato is committed to the importance of trust and transparency for the benefit of our Clients and does not voluntarily provide governments with access to any data about users for surveillance purposes.

Client Notice

Mundo Pato will notify Client before disclosing any of Client’s Client Data so that the Client may seek protection from such disclosure, unless Mundo Pato is prohibited from doing so or there is a clear indication of illegal conduct or risk of harm to people or property associated with the use of such Client Data. If Mundo Pato is legally prohibited from notifying Client prior to disclosure, Mundo Pato will take reasonable steps to notify Client of the demand after the nondisclosure requirement expires. In addition, if Mundo Pato receives a National Security Letter with an indefinite non-disclosure requirement, Mundo Pato will initiate procedures for judicial review.

Domestication and International Requests

Mundo Pato requires that any individual issuing legal process or legal information requests (e.g., discovery requests, warrants, or subpoenas) to Mundo Pato properly domesticate the process or request and serve Mundo Pato in a jurisdiction where it is resident or has a registered agent to accept service on its behalf. Mundo Pato does not accept legal process or requests directly from law enforcement entities outside the U.S. or Canada. Foreign law enforcement agencies should proceed through a Mutual Legal Assistance Treaty or other diplomatic or legal means to obtain data through a court where Mundo Pato is located.

Security Practices  

We take the security of your data very seriously at Mundo Pato. As transparency is one of the principles on which our company is built, we aim to be as clear and open as we can about the way we handle security.

If you have additional questions regarding security, we are happy to answer them. Please write to compliance@mundopato.com and we will respond as quickly as we can.

Confidentiality

We place strict controls over our employees’ access to the data you and your users make available via the Mundo Pato services, as more specifically defined in your agreement with Mundo Pato covering the use of the Mundo Pato services ("Client Data"), and are committed to ensuring that Client Data is not seen by anyone who should not have access to it. The operation of the Mundo Pato services requires that some employees have access to the systems which store and process Client Data. For example, in order to diagnose a problem you are having with the Mundo Pato services, we may need to access your Client Data. These employees are prohibited from using these permissions to view Client Data unless it is necessary to do so. We have technical controls to ensure that any access to Client Data is logged.

All of our employees and contract personnel are bound to our policies regarding Client Data and we treat these issues as matters of the highest importance within our company.

Personnel Practices

Mundo Pato conducts background checks on all employees before employment, and employees receive privacy and security training during onboarding as well as on an ongoing basis. All employees are required to read and sign our comprehensive information security policy covering the security, availability, and confidentiality of the Mundo Pato services.

Compliance

The following security-related audits and certifications are applicable to the Mundo Pato services:

  • PCI: Mundo Pato is a PCI Level 3 Merchant and has completed the Payment Card Industry Data Security Standard’s SAQ-A. We use a third party to process credit card information securely. Mundo Pato is not currently a PCI-certified Service Provider.

The environment that hosts the Mundo Pato services maintains multiple certifications for its data centers, including ISO 27001 compliance, FedRAMP authorization, PCI Certification, and SOC reports. For more information about their certification and compliance, please visit the AWS Security website, AWS Compliance website, Google Security website, and Google Compliance website.

Security Features for Team Members & Administrators

In addition to the work we do at the infrastructure level, we provide Team Administrators of paid versions of the Mundo Pato services with additional tools to enable their own users to protect their Client Data.

Access Logging

Detailed access logs are available both to users and administrators of paid teams. We log every time an account signs in, noting the type of device used and the IP address of the connection.

Team Administrators and owners of paid teams can review consolidated access logs for their whole team.

Single Sign On

Administrators of paid teams can integrate their Mundo Pato services instance with a variety of single-sign-on providers.

Deletion of Client Data

Mundo Pato provides the option for services Primary Owners to, delete Client Data at any time during a subscription term. Within 36 hours of workspace Primary Owner initiated deletion, Mundo Pato hard deletes all information from currently-running production systems (excluding team and channel names, and search terms embedded in URLs in web server access logs). Mundo Pato services backups are destroyed within 4 days.

Return of Client Data

Upon client termination of the agreement, client data can be exported, in standard formats, by the client. If there is a client request to export the data, Mundo Pato may export the data to a standard format.   

Data Encryption In Transit and At Rest

The Mundo Pato services support the latest recommended secure cipher suites and protocols to encrypt all traffic in transit. Client Data is encrypted at rest.

Availability

We understand that you rely on the Mundo Pato services to work. We're committed to making Mundo Pato a highly-available service that you can count on. Our infrastructure runs on systems that are fault tolerant, for failures of individual servers or even entire data centers. Our operations team tests disaster-recovery measures regularly and staffs an around-the-clock on-call team to quickly resolve unexpected incidents.

Disaster Recovery

Client Data is stored redundantly at multiple locations in our hosting provider’s data centers to ensure availability. We have well-tested backup and restoration procedures, which allow recovery from a major disaster. Client Data and our source code are automatically backed up nightly. The Operations team is alerted in case of a failure with this system. Backups are fully tested at least every 90 days to confirm that our processes and tools work as expected.

Network Protection

Firewalls are configured according to industry best practices and unnecessary ports are blocked by configuration with AWS Security Groups.

Host Management

Logging

Mundo Pato maintains a centralized logging environment in its production environment which contains information pertaining to security, monitoring, availability, access, and other metrics about the Mundo Pato services. These logs are periodically analyzed for security events and overseeing by the CTO.

Incident Management & Response

In the event of a security breach, Mundo Pato will promptly notify you of any unauthorized access to your Client Data. Mundo Pato has incident management policies and procedures in place to handle such an event such as: Identify type of intrusion or security event, alert relevant internal departments, notify clients, take corrective action and execute a plan to prevent re-occurrence of the event or intrusion.

External Security Audits

We contract external security firms who perform audits of the Mundo Pato services to verify that our security practices are sound.

 

Contacting Us

If you have any questions about this Privacy Policy or our privacy practices, please contact Kim Freeman at content@mundopato.com, or send mail to:

Mundo Pato, Inc. 8117 SW 35th Avenue, Portland, OR 97219