Privacy Policy

Onapsis Defenders Community Privacy Policy

This Privacy Policy describes how Onapsis, Inc. (“We,” “Our,” or “Us”) collects, uses, and otherwise processes personal data that you provide to us, or that we obtain or generate, to provide you with our community services, including our messaging, features, software, and website (“Defenders Community”).

Please also read Our Defenders Community Terms of Use (“Terms”), which describe the terms under which you use the Defenders Community.

  1. What personal data does Onapsis have?

We may collect and process your name, email address, job information, phone number, address and cookie information. Personal Data can be collected when voluntarily submitted or provided by you through sales enquiries, marketing events, downloads, use of the Defenders Community and from third parties.

The information we collect on or through the Defenders Community may include:

A. Messaging Info: When you interact with the Defenders Community members we collect your messages, including message-related information (such as the content of the message, any attached files or media, and data from interactive features such as reactions, effects, stickers, scheduling, and polls).

B. Contact Info: We may collect information, such as your name, email, phone number, profile picture or any image you use as avatar, and demographic information such as your date of birth, gender identity, location, or interests (collectively, “Contact Info”) from you when you register with Defenders Community.

C. Member Info: We may analyze your activities (including your Contact Info, Messaging Info, and imported data) and generate insights about you (“Member Info”).

D. Technical Info: When using Defenders Community, including registering to become a Defenders Community member, clicking on links or media in messages sent via the Defenders Community, we collect Internet, electronic activity, and other information automatically from the devices and browsers that you use and from the messages that you send (collectively, “Technical Info”). This includes information about the type of device and operating system you use, your phone number, your IP address and location, cookie and device identifiers, the type and version of browser you use, app version, and your ISP or wireless carrier. We may also collect information about your location, such as by using your IP address to determine your approximate location. When using our Defenders Community, we also collect information about the links you send or click on, pages you view, other information about how you use Defenders Community, and other standard server log information.

E. Correspondence: When you contact our customer support or sales teams, participate in one of our surveys, contests, or promotions, or communicate with us in any other way, we’ll collect whatever information you volunteer or that we need to resolve your question.

F. Other Info: We may also receive or sync information about you from other sources, including from the Defenders Community members, third-party services, partners, and organizations. We may aggregate or de-identify the information described above. Aggregated or de-identified data (meaning data that cannot reasonably be tied to you or used to identify you) is not subject to this Privacy Policy.

 II.  How is my Personal Data Used?

We use the information described above for the following business purposes:

  • to operate the Defenders Community platform, including by offering our Defenders Community, analyzing Messaging Info and Contact Info;
  • to market the Defenders Community and other Onapsis offerings to potential and current Defenders Community members;
  • to otherwise develop, operate, improve, deliver, promote, maintain, and protect the Defenders Community services (including troubleshooting, data analytics, testing, research, statistical and survey purposes) ;
  • to send you communications and respond to your communications (for example, we may use email to respond to support inquiries or to share information about the Defenders Community and other Onapsis offerings);
  • to manage our relationship with you (including providing you with the information, products and services that you request from us); and
  • to keep the Defenders Community and our users safe and secure, to enforce our Terms and other usage policies, to comply with legal requirements, and to protect or exercise our legal rights or defend against legal claims.

III. Our Disclosure of Information

We may share the information described above in the following ways:

  • With Defenders Community members and the general public. We may share your account information (such as your Defenders Community profile name, profile picture, and branded images) and messages with Defenders Community members and the general public.
  • With vendors and service providers. We may share your information with third-party vendors and service providers that provide services to us, such as telecommunications companies or internet platforms that process and deliver messages, the cloud platforms and services we use to host and process data, online platforms where we deploy our services, the marketing/ad platforms we use to acquire users, data analytics software, security and debugging services, communication tools, our payment and billing processors, content moderation tools, website hosting software, research and survey tools, third party auditors, and data management tools.
  • With corporate affiliates. We may share your information with our corporate affiliates.
  • In business transfers. We may share information about you as part of a merger or acquisition. If we are involved in a merger, asset sale, financing, liquidation or bankruptcy, or acquisition of all or some portion of our business to another company, we may share your information with that company before and after the transaction closes.
  • For legal purposes. We may disclose information to respond to subpoenas, court orders, legal process, law enforcement requests, legal claims or government inquiries, and to protect and defend the rights, interests, safety, and security of Onapsis, Inc. and our affiliates, users, and the public.
  • With your consent. If you consent, we may also share information for any other purposes disclosed to you at the time we collect the information or pursuant to your consent.

If you access third-party services via Defenders Community, these third-party services may be able to collect information about you, including information about your activity on the Defenders Community, in accordance with their own privacy policies. Onapsis suggests that you check the privacy policies of these sites to determine how your personal data will be utilized by the proprietors of those third-party sites.

IV.  Our Use of Cookies

The information we collect on or through the Defenders Community may include information you provide by filling in forms or making other affirmative choices on the Defenders Community, details of transactions you carry out through the Defenders Community and information we collect through automatic data collection technologies (“Cookies”). As you navigate through and interact with the Defenders Community, we may use automatic data collection technologies to collect certain information about your equipment, browsing actions, and patterns, including (i) details of your visits to the Defenders Community, such as traffic data, logs, navigation data and other communication data and the resources that you access and use on Defenders Community; and (ii) information about your computer and internet connection, including your IP address, operating system, and browser type.

The information we collect automatically is statistical data and may include personal data, but we may maintain it or associate it with personal data we collect in other ways or receive from third parties. This information helps us to understand our user base and usage patterns, store information about your preferences, allowing us to customize our Defenders Community, improve the Defenders Community and deliver better service; and recognize you when you return to the Defenders Community.

The technologies we use for automatic data collection may include:

  • Browser cookies: A browser cookie is a small file placed on the storage unit of your device. A cookie file can contain data such as a user ID that the site uses to identify your computer or device and to identify the pages you've visited, but the only personal data a cookie can contain is data you supply yourself. Your browser is most likely set to accept cookies. However, if you would prefer not to receive cookies, you can alter the configuration of your browser to refuse cookies. If you choose to have your browser refuse cookies, it is possible that some areas of our Defenders Community will not function properly when you view them. Note that third parties collect and use data from Cookies placed on the Defenders Community. This Privacy Policy may not describe the privacy practices of such third parties. We encourage you to read the privacy policies of these third parties and, if you prefer to not have data reported by these parties, follow their opt-out processes where these exist.
  • Web beacons: Pages of the Defenders Community may contain small electronic files known as web beacons (also referred to as clear gifs, pixel tags, and single-pixel gifs) that permit us to ascertain the effectiveness of our product, service campaigns and marketing programs; allow us to customize the services offered on or through our Defenders Community; and help us determine the best use for Defenders Community content, and product and service offerings.

 V. Children Under the Age of 16 and Young People.

Children and young people under 18 cannot register with the Defenders Community. Onapsis will not collect personal data from any person who is actually known to us to be under the age of 18. If we become aware that a person under 18 has provided personal data, Onapsis will take steps to remove such data and terminate that individual's account, access and use of the Defenders Community. If you believe we might have any information about a child or a young person under 18, please contact us at privacy@onapsis.com

VI. General Data Protection Regulation (“GDPR”)

Data and its protection are becoming increasingly important to individuals and enterprises. On May 25, 2018, the European Union reenacted the most significant piece of legislation intended to protect personal data, the General Data Protection Regulation (“GDPR”). The GDPR is designed to establish one set of data protection rules across the EEA. The GDPR applies to organizations that process EEA personal data, even if that organization is established outside of the EEA.

The terms “Data Controller”, “Data Processor”, “Personal Data”, “Processing” and “Sub-processor” shall have the same meaning as defined in the Standard Contractual Clauses and Article 4 GDPR.

Pursuant to Article 28 of the GDPR, Onapsis has certain obligations as Data Processor relating to its processing of personal data and expressly commits to:

  • Only act on written instructions of the Data Controller (i.e. customer set out in a Data Processing Agreement).
  • Implement technical and organizational measures to ensure the adequate protection of Customer’s Personal Data, which measures shall fulfil the requirements of the GDPR and specifically its Article 32.
  • Notify Data Controller, without undue delay, if Onapsis becomes aware of breaches of the protection of personal data and to the data protection authorities within 72 hours.
  • Engage Sub-processors (i.e. contractors) only with prior written authorization of the Data Controller.
  • Provide adequate safeguards to transfer Personal Data to a country outside the EEA (“Third country”), such as the standard contractual clauses.
  • Ensure that persons authorized to process Personal Data have committed themselves to Data Secrecy/Confidentiality Agreements.
  • Inform the Data Controller if Onapsis receives a request from a data protection authority or individuals to exercise data subject's rights.
  • Upon Data Controller’s instruction, correct, delete or return all the Personal Data after the end of the provision of services.
  • Make available to the Data Controller all information necessary to demonstrate compliance and cooperate in audits.

 VII.  International Data Transfers

Pursuant to GDPR, when a Data Controller or Data Processor wishes to transfer personal data to a Third Country, the third country must ensure that it has an adequate level of protection for the personal data as determined by the European Commission (“Commission”) or provide appropriate safeguards on condition that enforceable data subject rights and effective legal remedies for data subjects are available.

Onapsis will continue to use European Commission-approved Standard Contractual Clauses (“SCC”) as a legal mechanism to legitimize international data transfers from the EEA to countries that are not deemed to provide an adequate level of protection and has deployed a mechanism that provides appropriate safeguards for the data. Therefore, third country transfer will be based on SCC and incorporated in the form of a Data Processing Agreements (“DPA”) or other written agreements between Onapsis and its customers. Onapsis will not transfer personal data that processes on Customer’s behalf to any third country, unless and according to the Commission, a mechanism that provides appropriate safeguards for data is properly deployed.

In addition, and for the purposes of providing an additional level of trust for its European customer base, Onapsis has self-certified for the EU-U.S. Data Privacy Framework, which has been deemed by the European Commission as adequate to enable data transfers under EU law (adequacy decision on the EU-US Data Privacy Framework).

VIII.  EU-U.S. Data Privacy Framework Policy

Notice of Certification: Onapsis complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) as set forth by the U.S. Department of Commerce. Onapsis has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit the Data privacy framework website list.

Scope: This section describes the EU-U.S. Data Privacy Framework considerations for data privacy and protection.

Onapsis is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission.

Compelled Disclosure: Onapsis may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Complaints: In compliance with the EU-U.S. Data Privacy Framework Principles, Onapsis commits to resolve complaints expeditiously (no more than 45 days) about our collection or use of your personal data. Enquiries or complaints regarding our EU-U.S. Data Privacy Framework policy should be requested to Onapsis at: privacy@onapsis.com.

Dispute Resolution: If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, Onapsis has committed to refer unresolved EU-U.S. Data Privacy Framework complaints to JAMS (Judicial Arbitration and Mediation Services, Inc), an alternative dispute resolution provider located in the United States. In either of those cases, please contact or visit https://www.jamsadr.com/dpf-dispute-resolution for more information or to file a complaint. The services of JAMS (Judicial Arbitration and Mediation Services, Inc) are provided at no cost to you.

Arbitration: For residual complaints not fully or partially resolved by other means, you may be able to invoke binding arbitration before the EU-U.S. Data Privacy Framework Panel as detailed in the Principles. For further information, please see the EU-U.S. Data Privacy Framework website. To learn more about the EU-U.S. Data Privacy Framework at the Data privacy framework website.

Liability: In the context of an onward transfer, Onapsis as a EU-U.S. Data Privacy Framework certified organization has responsibility for the processing of personal data it receives under the EU-U.S. Data Privacy Framework. Onapsis, as a EU-U.S. Data Privacy Framework certified organization shall remain liable under the Principles if its agent processes such personal data in a manner inconsistent with the Principles, unless we prove that it is not responsible for the event giving rise to the damage.

IX. California Privacy Rights

This section provides additional details about the personal information we collect about California residents and their rights under the California Consumer Privacy Act of 2018 or “CCPA.”

For more details about the personal information we have collected over the last 12 months, including the categories of sources, please see the information we collect on section What personal data does Onapsis have? This information is collected to improve the Defenders Community and deliver a better service for contract management, sales administration, Onapsis customer portal access and product updates, described in the How is my personal data used? section. We share this information with third parties as described in the Our Disclosure of Information section. Onapsis does not sell (according to CCPA’s definition) the personal information we collect and will not sell it without providing a right to opt out. Please note that we do use cookies to enhance the user experience, monitor and improve performance in the Defenders Community and for advertising purposes.

Subject to certain limitations, the CCPA provides California residents the right to request to know more details about the categories or specific pieces of personal information we collect (including how we use and disclose this information), to delete their personal information, to opt out of any “sales” that may be occurring, and to not be discriminated against for exercising these rights.

California residents may make a request pursuant to their rights under the CCPA by contacting in an email at privacy@onapsis.com. To verify your request, government identification may be required. California residents can also designate an authorized agent to exercise these rights on their behalf.

X.  Changes to this Privacy Policy

Onapsis may modify this Privacy Policy from time to time. When we update the Privacy Policy, we will revise the “Last updated” date below.

XI.  Our Contact Information

You can reach us at Onapsis, Inc., 101 Federal Street, Suite 1800, Boston, MA 02110. If you have any questions about this Privacy Policy or our practices, please email us at privacy@onapsis.com.

© 2025 Onapsis, All Right Reserved    |  Contact Us   Privacy Policy   Terms of Use   Getting Started