Privacy Policy
Last updated: August 2, 2024
Table of Contents
- Definitions and Interpretation
- Your Privacy
- What Data Does Smokeball Collect?
- How We Collect Your Personal Data
- How Do We Use and Disclose Your Personal Information?
- Who Do We Share Your Personal Data With?
- How Do We Keep Your Personal Data Secure?
- International Data Transfers
- Data Retention
- Data Subject Rights
- How to Access and Correct Your Personal Data
- How to Make a Complaint
- Updates to This Privacy Policy
- How to Contact Us
1. Definitions and Interpretation
Personal Data means any information about an identified or identifiable person. In general, we collect and process the following types of personal data (although the specific types of data that we collect and process about you will depend on how you interact with us and our Services, as explained below):
- Client is a client of one of our customers (for example, a client receiving legal services from a law firm that is using our Services).
- Client Data is information a Client may upload to or generate from our services. This may include documents and e-mails exchanged between Smokeball customers and their clients, documents uploaded, imported, or generated by our customers in relation to a legal matter, invoices generated by our customers in relation to a legal matter and work they have performed for their clients, and the client’s contact information.
- Communications Data is information you provide to us when you communicate with us by e-mail, telephone, at in-person events, conferences, and seminars, by mail, through our social media channels, when you respond to surveys, when you provide us with feedback or ideas for our Services, and when you leave reviews or testimonials about us or our Services.
- Contact Data is your first name, last name, email address, phone number(s), billing address, and business address.
- Employment Data is your job title, employment status, employer, and professional qualifications held.
- Financing Data is the identity and details of your financier or bank, and details of any financing or credit arrangements you have entered into in relation to the payment of our fees.
- Marketing Data is your preferences for receiving marketing from us and the Smokeball Group, marketing lists you are part of, topics you are interested in receiving marketing communications about, and your communication preferences.
- Public and Third-party Data is information you make publicly available from third-party websites (e.g., your firm's, Avvo, or chamber's websites), or which is provided to us by third-party (e.g., referrers).
- Technical Data is information about the device type you used to access our Service (e.g., mobile or desktop), your device’s operating system (e.g. iOS, Windows, or Android), application software, browser type and settings (e.g. language, time zone, location), Internet Protocol (IP) address, MAC address, and access times.
- Transaction History Data is information about any payments you have made to us, refunds we have paid to you, credits, adjustments, or discounts that you are entitled to or that we have applied, details of any Services you have purchased from us, and your Service renewals and cancellations.
- Support Data is information you provide to us when you make a request for support in relation to our Services, and information we can see from your screen or account if we need to provide remote support using a “share-screen” feature, or if we need to access your account remotely. We will only use this information for providing support in relation to our Services.
- User or Customer is an individual end user of our Services (for example, a sole practitioner, or an employee or partner of a law firm that uses our Services).
- User Data or Customer Data is information provided, uploaded, input, or generated from a User of our Services.
2. Your Privacy
Your privacy is important to Smokeball, and we are committed to protecting your personal data. This Privacy Policy provides you with information about how we collect, use, disclose, and otherwise process personal data collected in connection with your use of our websites, mobile applications, software solutions and other Smokeball services (collectively, the “Services”).
In this Privacy Policy, unless otherwise specified:
- “Smokeball”, “we”, “our”, “us”, and any similar terms refers to:
- if you are accessing or using Smokeball Services in the United States; and
- if you are accessing or using Smokeball’s Services, or accessing Smokeball’s U.S. websites,
- the “Smokeball Group” refers to Smokeball UK Limited, Smokeball Australia Pty Ltd, and Smokeball Inc, as well as any of their parent or subsidiary companies (or companies controlled by the same parent) from time to time.
3. What data does Smokeball collect?
3.1 User Data
We may collect, store, and otherwise process information about you that you provide, upload, input, or generate from your use of our Services. Depending on the Services you use, this may include information about your work emails, calendar, meetings and appointments, time recordings, invoices, memos, work-related documents, interactions with other colleagues and counterparties through our Services, and account passwords. We may also collect or infer certain information from your use of our Services, such as the particular Services you access, features you use, time of access, login attempts, duration of each usage session, where you access our Services from, and your Service settings, preferences, and usage habits.
3.2 Client Data
If you are a client of one of our customers (for example, a client receiving legal services from a law firm that is using our Services), then we may collect, store, and otherwise process information about you and your legal matter, which our customers upload or import to, or generate from, our Services. This data may include sensitive category data as described in section 3.3 below.Our Services may also give customers the ability to grant limited access to certain parts of the Services (including data stored on those Services, such as Client Data) to third parties. This will allow those third parties to access certain Client Data that our customers choose to share through the Services. Some examples of how our customers may use this feature to share Client Data with third parties include:
- a customer may set up a virtual data room through our Service as part of a corporate acquisition, to share certain Client Data with the purchasing party and their professional advisors for the purposes of conducting due diligence;
- a customer may create a shared space to share Client Data relating to legal proceedings with an external attorney; or
- a customer may create a shared space to enable sharing of Client Data with relevant third parties in the context of a conveyancing transaction.
- We collect, share, and otherwise process Client Data as a data processor on behalf of our customers (i.e. law firms, attorneys, and other legal professionals that use our Services). This means that in the vast majority of cases, the customer is the controller of this data and will determine how your Client Data is processed and who it is shared with. If you have any questions about our processing of Client Data, you should first speak with the law firm or legal professional that you are a client of, and that has provided us the Client Data for processing.
We only collect and process Client Data as required to provide our Services to our customers, or where required to comply with applicable law. We do not access or share Client Data stored on our servers except in the following circumstances:
- where Client Data may be made temporarily visible to us when providing technical support or training to our customers, or when we are responding to a customer's questions;
- where we are required or compelled by law (including by court order or subpoena) or at the direction of a government or law enforcement authority to share Client Data with another party (and in such cases, we may act as the controller of the data); or
- where our customer has authorized the Client Data to be shared with a third-party.
3.3 Sensitive Category Data
Sensitive category data means:
- data about your racial or ethnic origin, political opinions, sexual practices or orientation, religious or philosophical beliefs, trade union membership, criminal history, or physical or mental health;
- your genetic or biometric data; and
- any other specific categories of data that are subject to more onerous requirements under applicable data protection laws from time to time.
- We do not proactively seek to collect or process sensitive category data. However, we may store, share, and otherwise process sensitive category data to the extent that this data is Client Data, as described in section 3.2 above. We describe the purposes for which we process Client Data (including where this contains sensitive category data) in sections 3.2 above.
3.4 Aggregated Data
We also collect and process high-level statistical and/or demographical data about how our customers interact with our Services (for example, how customers of a certain size or type like to use our Services). This data relates only to our customers, and cannot be used to directly or indirectly identify a specific individual user of our Services. As such, this data is not considered personal data and may not be subject to the same safeguards as described in this Privacy Policy.We use this aggregated data to better understand our customers, what features they use the most, to identify opportunities to improve our Services, and to determine what marketing content, guides, and publications will be of most value to our customers.
4. How We Collect Your Personal Data
The ways in which we collect personal data, and the types of personal data that we collect each way, is set out in the table below.
4.1 Information You Provide to Us
We collect personal data you provide when you use our Services from one or more devices associated with you, or that you provide in any other way, including over the phone, by email, or on paper. The table below sets out some of the ways you may provide personal data to us, and the types of personal data we collect in these ways.
4.2 Information We Receive from Other Sources
We may collect personal data about you from third-party sources, such as information that is publicly available on your social media profiles or third-party websites (such as your firm website), or where we receive personal data about you from a third-party referrer participating in our referral program. The table below summarizes some of the different third-party sources we may use to collect your personal data, and the types of personal data we collect from these sources.
4.3 Information That We Automatically Collect
When you visit our websites or blogs, open or click on any links in our marketing communications, or use our Services, we may automatically collect information about your visit, including pages you access, links you click and actions you take through the use of essential and non-essential cookies, web beacons, pixel tags and other tracking technologies (collectively, “cookies”). We may also collect Technical Data from your device and web browser. If you are in the UK and would like more information about our use of cookies, please see our UK cookie policy at https://www.smokeball.co.uk/cookies.
5. How Do We Use and Disclose Your Personal Data?
We use and disclose the personal data that we collect only for the purposes described in this Privacy Policy or for purposes that we explain to you at the time of collection. Depending on our purpose for collecting your personal data, we rely on one or more of the following legal bases:
- Performance of a contract: we require certain personal data in order to provide the Services you purchase or request from us, and which we have agreed to provide, under a contract.
- Consent: in certain circumstances, we may ask for your consent (separately from any contract between us) before we collect, use, or disclose your personal data, in which case you can voluntarily choose to give or deny your consent without any negative consequences to you.
- Compliance with our legal obligations: there may be instances where we must collect, store, process, or disclose your personal data to comply with our legal obligations.
- Legitimate interests: we may use or disclose your personal data for our legitimate business interests. Where we need to process your data to pursue our legitimate interests, it will be in a way which is reasonable for you to expect as part of the running of our business and which does not materially affect your rights and freedoms.
The table below provides more detail on the purposes for which we may process your personal data, the types of personal data we process for that purpose, and the legal basis (or bases) upon which we rely to so process your personal data.
6. Who Do We Share Your Personal Data With?
We may share your personal data with the following categories of recipients:
- Other members of the Smokeball Group, who provide data processing services necessary to provide you with our Services (for example, to support the delivery of, provide functionality on, or help to enhance the security of our website and online services), or who otherwise process personal data for purposes described in this Privacy Policy.
- Third-party payment processors, who we use to process payments when you purchase a subscription to our Services. The third-party processor will need to collect and process your payment data (such as your payment card or bank account details) to process your payments. We do not collect or process this data ourselves.
- Other third-party service providers and partners who provide data processing services to us as necessary to provide you with our Services (for example, to support the delivery of, provide functionality on, or help to enhance the security of our website and online Services), or who otherwise process personal data for purposes described in this Privacy Policy. We may also share personal data with providers of third-party services that interface with or are integrated with our Services, if you request to use those third-party services.
- Third-party services and business partners when you use third-party and partner services linked through our website or online Services (for example, third-party payment services) your personal data will be collected by the provider of such services. Please note that when you use third-party services, their own terms and Privacy Policies will govern your use of their services.
- Third-party financiers or banks when you contact us about financing arrangements for our Services. We may share some of your personal data with third-party financiers or banks to enable them to enter into a financing arrangement with you. We do not collect, store, or share any financial data about you ourselves.
- Third parties who our customers share Client Data with through the Services. As described in section 3.2 above, our Services allow Customers to create shared spaces where they can share certain Client Data with third parties. These third parties may include, for example, attorneys, counterparties in a corporate transaction, or real estate agencies in a conveyancing transaction. We share Client Data with these third parties as processor on behalf of our customers, who as controller determine what Client Data is shared and who it is shared with. If you are a client of one of our customers and would like to know more about who your Client Data is shared with, you should speak with the customer in the first instance.
- Any competent law enforcement body, regulatory, government agency, court or other third-party (such as our professional advisers) where we believe disclosure is necessary (i) as a matter of applicable law or regulation, (ii) to exercise, establish or defend our legal rights, or (iii) to protect your vital interests or those of any other person.
- A buyer (and its agents and advisers) in connection with any actual or proposed purchase, merger, or acquisition of any part of our business, provided that we inform the buyer it must use your personal data only for the purposes disclosed in this Privacy Policy.
- Any other person with your consent to the disclosure (obtained separately from any contract between us).
7. How Do We Keep Your Personal Data Secure?
Our information security risk management framework is aligned with ISO27001 employing multiple layers of reasonable security controls to protect our platforms. A risk-based approach is utilized and industry-accepted controls from ISO and NIST are referred to ensure appropriate defense measures are implemented including:
- Access management,
- Continuous malware monitoring,
- Encryption utilizing a minimum of TLS1.2 for data in transit and at rest,
- Patch and vulnerability management and
- System resiliency/recovery.
Where you have an account with us that uses a unique password to enable you to access our Services, it is your responsibility to keep this password secure and confidential.
8. International Data Transfers
Where we transfer your personal data to other Smokeball Group members, or to other third parties as outlined in section 6 above, your data may be processed in countries other than the country in which you are resident. These countries may have data protection laws that are different to the laws of your country (and, in some cases, may not be as protective).
Our servers and the Smokeball Group companies are located in the United Kingdom, the United States, and Australia. Our third-party service providers and business partners operate in the United Kingdom, the United States, Australia, and Japan. This means that when we collect your personal data, it may be processed in any of these countries. If we transfer your personal data out of your jurisdiction, we will implement suitable safeguards and rely on legally-provided mechanisms as required by applicable law to lawfully transfer data across borders to ensure that your personal data is protected.
We retain the personal data we collect from you where we have an ongoing legitimate business need to do so (for example, to provide you with a service you have requested or to comply with applicable legal, tax or accounting requirements).
In certain circumstances, we will need to keep your personal data for legal reasons after your subscription to our Services has ended. The specific retention periods depend on the nature of the personal data and why it is collected and processed and the nature of the legal requirement.
When we have no ongoing legitimate business need or legal reason to process your personal data, we will either delete or anonymize it. If this is not possible (for example, because your personal data has been stored in backup archives), then we will securely store your personal data and isolate it from any further processing until deletion is possible.
9. Data Subject Rights
You have the following data protection rights. To exercise any of these rights, you should contact us using the contact details provided in section 13 below.
- You may have the right to access, correct, update or request deletion of your personal data as set out in section 10 below.
- You have the right to opt-out of marketing communications we send you at any time. You can exercise this right by clicking on the “unsubscribe” or “opt-out” link in the marketing e-mails we send you. To opt-out of other forms of marketing (such as postal marketing or telemarketing), please contact us using the contact details provided in section 13 below. If you choose to opt out of marketing communications, we may still send you non-promotional administrative emails, such as emails about your current subscription and Service alerts.
- If we have collected and processed your personal data with your consent, then you can withdraw your consent at any time by using the contact details provided in section 13 below. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal data conducted in reliance on lawful processing grounds other than consent.
- You may have the right to complain to a supervisory or state authority about our collection and use of your personal data (see section 11 below).
California Residents
- Under the CCPA, a California resident has the following rights: (1) to request additional information about our data collection, use, disclosure, and sales practices in connection with your personal data; (2) to request the specific personal data collected about you during the previous 12 months; (3) to request the deletion of the personal data we have about you; (4) to request a restriction on certain processing of personal data; and (5) to request correction of inaccurate information. You may not be discriminated against for exercising your California privacy rights.
- California residents are also entitled to contact us to request information about whether we have disclosed personal data to third parties for the third parties’ direct marketing purposes. Under the California “Shine the Light” law, California residents may opt-out of the disclosure of personal data to third parties for their direct marketing purposes. You may choose to opt-out of the sharing of your personal Information with third parties for marketing purposes.
We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection laws. Please contact us at infosec@smokeball.com.
10. How to Access and Correct your Personal Data?
You may ask to access any personal data that we hold about you at any time by contacting us using the details set out in section 4.
If you believe that any personal data that we hold about you is incorrect, incomplete, or inaccurate, then, you may ask that we correct that data. We will consider your request for correction, and if we do decide not to make the correction, then you can ask that we add a note to the personal data that we hold stating that you disagree with it.
We will try to provide you with suitable means of accessing the personal data (for example, by posting or emailing it to you), and may charge you a reasonable fee to cover our administrative and other reasonable costs in providing the data to you. We will not charge you for simply making the request and will not charge for us making any corrections to your personal data.
There may be instances where we cannot grant you access to the personal data we hold. For example, we may need to refuse access if granting access would interfere with the privacy of others or if it would result in a breach of confidentiality or legal professional privilege. If that happens, we will provide you with written reasons for our decision.
11. Other Important Privacy Information
Artificial Intelligence: Smokeball integrates advanced artificial intelligence technology across our product suite, enhancing core functionalities with generative AI capabilities such as the Archie assistant. This AI-powered approach streamlines workflows, boosts efficiency, and enables law firms to accomplish more in less time. Smokeball AI and Archie data processing activities and functionality align with our products’ primary uses. The use, collection and processing of any data is consistent with our core principles and requirements described in our Privacy Policy.
12. How to Make a Complaint
If you believe that your privacy has been breached, please contact us using the details set out in section 13 and provide us with details of your concerns so that we can investigate the matter further. We will treat your complaint confidentially and will try to investigate and resolve your complaint within a reasonable period of time. Please email complaints to infosec@smokeball.com.
13. Updates to This Privacy Policy
We may update this Privacy Policy from time to time in response to changing legal, regulatory, technical, or business developments. When we update our Privacy Policy, we will act appropriately to inform you, consistent with the significance of the changes we make. We will obtain your consent to any material Privacy Policy changes if, and where, required by applicable data protection laws. You can see when this Privacy Policy was last updated by checking the “last updated” date displayed at the top of this Privacy Policy.
14. How to Contact Us
If you have any questions or concerns about how we use of your personal data, how long we retain your personal data, or the steps we take to protect your personal data, please send us an email at infosec@smokeball.com.