Privacy Policy (monday.com Integrations)

1. Overview

Adaca One Pty Limited ACN 671 335 792 ("we", "us", "our") is committed to protecting the privacy of its existing and prospective customers ("you", "your").

This Privacy Policy applies to your use of our Integration Tool accessible via the monday.com Marketplace, and outlines how we collect, use, and disclose your Personal Information. The Integration Tool does not collect personal information directly from users, however it may process or store customer data that users transmit between their monday.com and Amazon Connect or Amazon Q in Connect accounts using the Integration Tool. When you access or use our Integration Tool, you consent to us collecting, holding, using, and disclosing this information in accordance with this policy.

You are not obligated to provide us with your personal information, but it may be necessary to provide you with certain Services. In such cases, if you do not provide your personal information, we may not be able to provide you with the requested Services.

2. Scope of this Policy

This privacy policy covers the Personal Information collected by us when you use, access or interact with our Services.

We may also create and use deidentified data from time to time, being data that can no longer reasonably be used to identify you. Where we maintain deidentified data, we make no attempt to re-identify it, except for the purpose of determining whether our de-identification process satisfies the requirements of any applicable laws.

For the purposes of the General Data Protection Regulation (GDPR) and UK GDPR, we act as a Data Processor where we process personal data on behalf of our clients (such as handling debtor data from integrated third-party services), and only process such data in accordance with the instructions of the Data Controller (our client).

We do not act as Data Controller as we do not collect user information directly from you.

3. What this Policy Does Not Cover

This policy does not apply to:

• Customer Personal Data, being any personal data you or your organisation collects from its customers and provides to us for processing on your behalf, such as CRM information transferred by you from your monday.com account to your Amazon Connect environment using the Integration Tool, which is subject to your privacy policy;
• Employee Data, being personal data relating to our employees or prospective employees;
• Third-Party Data, being data collected by applications, cloud-based services, software, websites, integrations or services provided by a party other than the Company that our Services interoperate or integrate with, and which are governed by their respective privacy policies; and
• Personal information processed under the instructions of business customers (i.e. when we are the Data Processor).

4. What is Personal Information?

For the purposes of this Privacy Policy, "personal information" refers to any information or opinion about an identified individual or an individual who is reasonably identifiable. This may include, but is not limited to:

• name, address, email address, phone number, and other contact details;
• financial information such as transaction records or debtor information; and
• information about interactions with our Tool, such as usage data and technical information.

5. Personal Information We Collect

We collect personal information in various ways, depending on your interactions with our Integration Tool. Below is a breakdown of what we collect, how we collect it, and why:

5.1. Information you provide to us

You may provide personal information when you:

• install, access, or use the Integration Tool;
• interact with our customer support team.

This includes:

• Account Information: monday.com user IDs, monday.com account IDs, monday.com access tokens, board IDs, and synchronisation status indicators;
• User and Contact Details: User names, user email addresses, contact names, contact phone numbers, and contact-campaign associations;
• Amazon Connect Configuration: Region settings, AWS access key IDs, AWS secret access keys, Connect instance IDs, Connect instance aliases, customer profile domains, and connection status information;
• Call Data: Phone numbers of callers/recipients, call types, call durations, call dates, call transcripts, Amazon Connect contact IDs, monday.com posting status, and call notes;
• Board Synchronisation Data: Phone numbers associated with monday.com items, monday.com item IDs, and synchronisation timestamps;
• Campaign Information: Campaign names and their associations with users;
• Third-Party Integration Data: Information you grant us access to from third-party applications (e.g. monday.com, Amazon Connect, Amazon Q in Connect);
• Metadata: Creation and update timestamps for all records to maintain data integrity and track changes.

5.2. Information from public and third-party sources

We may collect publicly available information or data from third parties, such as:

• Social profiles (e.g., LinkedIn);
• Contact details (e.g., email address, phone number);
• Professional information for marketing purposes.

6. How and Why We Use Your Information

We collect and process your personal information for a variety of reasons. Below, we outline how and why we use your personal information and the legal basis for processing it.

Purpose of processing	Legal basis	Types of Personal Information processed
Providing the Integration Tool	Contractual necessity	Account Information, User and Contact Details, Board Synchronisation Data, Third-Party Integration Data
Call Management and Tracking	Contractual necessity	Call Data, Contact Details
Synchronisation between monday.com and Amazon Connect	Contractual necessity	Account Information, Board Synchronisation Data, Campaign Information, Third-Party Integration Data
Customer Support and Troubleshooting	Legitimate Interest	Account Information, Amazon Connect Configuration, Metadata
Compliance with legal and regulatory obligations	Legal Obligations	Call Data, Metadata
Fraud prevention and security measures	Legitimate Interest	Amazon Connect Configuration, Account Information
Improving user experience and service performance	Legitimate Interest	Metadata, Call Data, Board Synchronisation Data, Third-Party Integration Data
Internal audits and risk management	Legal Obligation	Account Information, Amazon Connect Configuration, Metadata

Certain categories of personal information may be classified as Sensitive Personal Information (SPI) under applicable privacy laws. We do not collect SPI unless it is reasonably necessary for our Services and you have provided explicit consent. For our purposes, this may include:

• Financial information (such as bank account details, credit history, payment records); or
• Government-issued identifiers (such as Social Security Number, Tax File Number, passport details.

Where SPI is collected, we will process it only as necessary to provide our services, comply with legal obligations, prevent fraud, or with user consent. To understand your rights in relation to SPI, please refer to section 12.

7. Legal Basis for Processing Personal Information

We process your personal information based on the following legal grounds:

• Consent: where you have explicitly provided your consent or agreed to the integration of third-party software accounts (e.g. monday.com, Amazon Connect, Amazon Q in Connect) with the Services;
• Contractual necessity: where processing is required to fulfill our obligations under the terms of service, including to provide the Services;
• Legitimate interest: where processing is necessary for our legitimate business interests, including improving Service functionality, detecting fraud, and securing our systems, provided there interests are not overridden by your fundamental rights and freedoms;
• Legal obligation: where processing is required for us to comply with legal obligations, such as financial record keeping or responding to lawful requests.

In jurisdictions where applicable law distinguishes between primary and ancillary processing purposes:

• Primary Purposes include essential activities necessary to provide the Services and to fulfill our contractual obligations, including managing debtor communications, analysing Third-Party Integration Data, and all other processing purposes not identified as Ancillary Purposes;
• Ancillary Purposes are processing activities that support and enhance our Services, including fraud prevention, marketing, analytics, and compliance with legal obligations.

We process personal information for ancillary purposes only where it is:

• Compatible with the original processing purpose,
• Reasonably expected by users, or
• Explicitly consented to.

In accordance with the GDPR's Purpose Limitation Principle (Article 5(1)(b)), we do not process personal information for new purposes that are incompatible with the original purpose without first obtaining a new legal basis.

8. How and When We May Disclose Your Personal Information

We may disclose your personal information in the following circumstances, where necessary and in compliance with applicable privacy laws:

• Service Providers and Vendors: We share personal data with third-party vendors who assist in delivering our Services, such as cloud hosting providers, payment processors, analytics services, and customer support platforms. These vendors are contractually obligated to handle your data securely and use it only for the specified purposes.
• Third-Party Software Integrations: If you connect third-party services (e.g., monday.com, Amazon Connect, Amazon Q in Connect) with the Services, we may share relevant data to enable these integrations. We do not control how these third parties use your data, and their processing is governed by their respective privacy policies.
• Regulatory and Legal Obligations: We may disclose personal data to law enforcement agencies, regulatory authorities, or government bodies if required by law, legal process, or to protect our legal rights.
• Business Transfers: In the event of a merger, acquisition, restructuring, sale, or other transfer of assets, personal information may be shared with the acquiring entity, legal advisors, or due diligence teams as necessary for the transaction.
• Professional Advisors: We may share personal data with legal counsel, accountants, auditors, and other professional advisors for compliance, legal, tax, or risk management purposes.
• Affiliates and Business Partners: We may share information with affiliated companies or business partners where required for service delivery, internal business operations, or marketing initiatives (where permitted by law).
• Fraud Prevention and Security Measures: To protect against fraud, security breaches, and illegal activities, we may share relevant data with fraud prevention and security monitoring services.

We may also disclose your information to third parties where you have expressly consented to the disclosure or the consent may be reasonably inferred from the circumstances (such as to your professional advisors).

We do not sell personal information in the traditional sense. However, under certain laws (such as California law (CCPA/CPRA)), certain data-sharing arrangements (e.g., sharing usage data with advertising networks) may be considered a "sale" or "sharing" of personal data. If you are a California resident, you may opt out of such data sharing by submitting a "Do Not Sell or Share My Personal Information" request as outlined in section 12 below.

9. Data Retention and Deletion

9.1. General retention

We retain personal information for as long as necessary to provide our Services and to fulfill legal, regulatory, or operational requirements. The retention period for personal data is determined based on several factors, including the nature of the data, the purpose for which it was collected, and any legal or regulatory obligations that require its retention.

Specifically, we retain:

• Account Information and Amazon Connect Configuration data for the duration of your use of our Integration Tool
• Call Data, including call transcripts and logs, for a period of twelve (12) months after the call date
• Board Synchronisation Data for as long as needed to maintain proper integration between monday.com and Amazon Connect
• Campaign Information and Contact Details for the duration of your active campaigns
• Third-Party Integration Data only as long as needed to facilitate the ongoing integration

We assess data retention periodically to ensure that personal information is retained only for as long as necessary.

9.2. Retention Policy following Termination of the Services

When you or monday.com de-authorise, deactivate, uninstall or otherwise terminate the Services, we will either:

• permanently delete all end-user data and any metadata that was collected, transmitted, created, or received by the Services within 10 days of the Services being de-authorised, deactivated, uninstalled or terminated; or
• obtain your express, written consent from the end-user to retain your data longer than 10 days, provided such consent is clear and explicit

Certain information may be retained for an extended period to comply with regulatory, security, fraud prevention, and financial record-keeping obligations.

Once personal information is no longer required, we will securely delete or deidentify it so that it is no longer identifiable.

10. Data Security

We implement robust security measures to protect your personal information from unauthorised access, disclosure, or loss, including:

• Encryption of sensitive data at rest and in transit, including Amazon Connect credentials (access keys and secret keys)
• Secure storage of monday.com access tokens using industry-standard encryption methods
• Multi-factor authentication for administrative access to our systems
• Secure storage of call transcripts and customer contact information
• Regular security audits and vulnerability assessments
• Role-based access controls to limit access to personal information
• Secure API endpoints for data transmission between monday.com and Amazon Connect
• Regular backup procedures with encrypted storage
• Monitoring systems to detect unusual activity or potential security incidents

In the event of a data breach affecting any of your stored information (including Account Information, User and Contact Details, Amazon Connect Configuration, Call Data, Board Synchronisation Data, or Campaign Information), we will notify affected individuals and relevant authorities in compliance with applicable laws, including the Australian Notifiable Data Breaches scheme, GDPR Article 33, and relevant U.S. state laws.

11. International Data Transfers

Personal information we collect may be stored and processed in your region, in Australia, or in any other country where we or our affiliates or service providers maintain facilities. We may transfer personal information to jurisdictions outside of Australia, the UK, or the EU, including to cloud service providers and other third-party vendors. Before transferring data overseas, we take reasonable steps to ensure that the recipient complies with Australian Privacy Principles (APPs), GDPR, or offers equivalent protections. This may include contractual obligations requiring compliance with privacy standards comparable to those in Australia, the EU or the UK, such as the Privacy Principles, Standard Contractual Clauses, adequacy decisions, Binding Corporate Rules, or additional safeguards where necessary, in compliance with applicable privacy laws. If you require further information about how we protect your data overseas, please contact us at [email protected].

12. Your Rights and Choices

12.1. General Rights

Depending on your jurisdiction, you may be able to exercise the following rights in relation to your personal information:

• to request access to, or a copy of, the personal information we hold about you and to request any corrections be made to inaccurate or incomplete personal information;
• to request a structured, commonly used, and machine-readable copy of your personal information (such as your account information, preferences, and transaction history);
• to request the deletion of your personal information where permitted by law;
• to object to, or opt out of, certain processing activities where it is based on legitimate interest, including targeted advertising, behavioural profiling, or similar activities;
• If you are subject to AI-based decisions, you may request a manual review of the decision and present additional information.

In addition, where the basis for us processing your information is based on your consent, you have the right to withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing carried out before your withdrawal.

To exercise your rights, please contact us at [email protected].

12.2. Rights in Relation to SPI

With respect to any SPI we may hold, you may have the right to:

• Restrict the use of SPI for non-essential purposes such as targeted advertising;
• Request that SPI is deleted or anonymised when no longer necessary for legal or service-related purposes;
• Opt-out of the sale or sharing of SPI for commercial purposes.

To exercise your rights, please contact us at [email protected].

12.3. Opting-Out

Where you have the right to opt out, you may do so:

• by adjusting your cookie preferences through your browser settings to block tracking;
• via the Digital Advertising Alliance or the Network Advertising Initiative;
• you may submit a "Do Not Sell or Share My Personal Information" request to opt out of the sale or sharing of personal data for advertising purposes by contacting us at [email protected] with subject line "Do Not Sell My Personal Information" (U.S. Users Only).

13. Children's Privacy

Our Services are not intended for individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that a child has provided us with personal information, we will take steps to delete it.

14. Contact Information

If you have any questions or concerns about this Privacy Policy or how we handle your personal information, please contact us at [email protected].

15. Complaints

If you have a complaint about the way in which we have handled any privacy issue, including your request for access or correction of your personal information, you should contact us at [email protected].

We will consider your complaint and determine whether it requires further investigation, and will notify you of the outcome of this investigation and any subsequent internal investigation.

If you remain unsatisfied with the way in which we have handled a privacy issue, you may approach an independent advisor or, depending in your jurisdiction, contact the following authorities for guidance on alternative courses of action which may be available:

• Australia: Office of the Australian Information Commissioner (OAIC)
• EU/UK: National Data Protection Authority
• U.S.: Relevant state privacy agencies

16. Policy Updates

We reserve the right to make changes to this Privacy Policy from time to time to reflect changes in the laws or regulations, our practices, our Services, or our operational requirements.

If we make any material changes to the terms of this policy, or any other change that may be relevant to you or impact you, we will notify you via email, website banner, or in-app notification ahead of the changes taking effect. Continued use of the Services after any updates constitutes your acceptance of the revised Privacy Policy. Please review this page periodically, and especially before you provide any personal information to us.