Privacy Policy - Roast

Privacy Policy

Introduction

This Privacy Policy details the commitments that KT Innovations (KTI) makes to all Users of the web application Roast and its related services, as described in the Terms of Use, in regard to the personal data that Roast may process.

Definitions

  1. User

    An individual that holds an account with Roast as either an Owner, Administrator, Participant, or any combination of the three.

  2. Owner

    An individual or entity that is a customer of KTI and has purchased a subscription to Roast.

  3. Administrator

    An individual designated by an Owner as having permission to create and send Surveys as well as view results.

  4. Participant

    An individual invited to participate in a Roast Survey.

  5. Project

    A set of data meant to represent a single building or site. A Project has a single Owner, and can have many Administrators, Participants, Surveys, and floorplans associated with it.

  6. Survey

    A set of questions and response data sent out by an Owner or Administrator to a group of Users. Each Survey will always belong to a single Owner and be part of a single Project. Response data for a Survey includes location information, outfit information, and responses to multiple choice questions.

  7. Site Visitor

    An individual who visits and interacts with the Roast website.

Collected Information

KTI understands the importance of User privacy and any information generated via Roast is used solely for the purpose of software development. KTI does not sell or transfer User information to any third party other than vendors providing services related to Roast’s core functionality. KTI does not share User data unless granted explicit permission or if required for legal compliance. Owner, Administrator, and Participant information is considered confidential. KTI does not access or disclose this information. The data Roast collects will depend on the User’s specific role.

    1. Information Collected from All Users

      The following types of information are collected from all Users (Owners, Administrators, and Participants).

      1. Email Address

        The email address provided by the User at registration is the only method KTI uses to communicate account updates, password recovery, and general notifications. Users may customize their email notification settings following registration.

      2. Password

        Passwords authenticate and secure User accounts. Passwords are cryptographically hashed, so unencrypted versions of User passwords are never stored or accessed by KTI. Requests for more information on Roast’s password security practices can be submitted via the Contact Us page on the Roast website.

      3. Survey Data

        Roast collects and stores information provided by Users answering a Survey, including but not limited to: Survey responses, location data as reported on the Survey floorplan, and outfit details.

      4. Browser Data

        Roast automatically logs information about User browsers, including but not limited to browser type and version number. KTI aggregates and analyzes browser data to ensure adequate development to support popular browser types. KTI also uses this data to assist in troubleshooting or bug fixes.

    2. Information Collected from Owners

      Roast collects the following information from Owners, in addition to the information collected from all Users, described in Section 3, Subsection a, “Information Collected from All Users.”

      1. First and Last Name

        First and last names help the Roast team identify Owners and assist them with Project set up. They also help other Administrators recognize the Owner while managing Users and creating Surveys. Lastly, Roast uses Owner first and last names to generate emails with customized salutations.

      2. Billing Information

        KTI collects and stores Owner addresses, phone numbers, and payment records to process Roast payments via invoice. This information is not held on the Roast website, but in a secure offline database. KTI does not store or request credit card information.

      3. Third Party Information

        Roast may obtain information about Owners and their contacts from third party sources such as public databases or social media platforms. KTI uses this information for networking and marketing opportunities, and for general promotion.

    3. Information Collected from Administrators

      Roast collects the following information from Administrators, in addition to the information collected from all Users, described in Section 3, Subsection a, “Information Collected from All Users.”

      1. First and Last Name

        First and last names help Owners identify Administrators and assist them with Project set up. They also help other Owners and Administrators recognize the Administrator while managing Users and creating Surveys. Lastly, Roast uses Administrator first and last names to generate emails with customized salutations.

      2. Third Party Information

        Roast may obtain information about Users and their contacts from third party sources such as public databases or social media platforms. KTI uses this information for networking and marketing opportunities, and for general promotion.

    4. Information Collected from Participants

      Roast collects the following information from Participants, in addition to the information collected from all Users, described in Section 3, Subsection a, “Information Collected from All Users”.

      1. First and Last Name

        First and last names help Administrators and Owners identify Participants while managing Users and creating Surveys. Roast also uses first and last names to generate emails with customized salutations.

    5. KTI collects information from site visitors that interact with the Roast website. The data collected includes: what webpages are visited; data entered into webpage forms; clicks and other actions performed. KTI also collects browsing data and analytics through the following third-party services: DataBox, Google Analytics, LinkedIn Analytics, and HubSpot Analytics.

      1. Cookies Policy

        Cookies are alphanumeric identifiers stored on a device to recognize repeat users accessing the Roast site. Like most commercial websites, KTI uses cookies on Roast webpages. KTI uses cookies to recognize Site Visitor visits, interests, and preferences, and to analyze traffic. Site Visitors may choose to accept the use of cookies via the website Cookies Banner. Consent must be renewed every 12 months. In order to remove or disable cookies, please refer to your browser’s configuration documentation. Disabling cookies may adversely impact interactions with the Roast website.

      2. List of Cookies Used on the Roast Website:
NameExpiryDescription
_ga2 yearsUsed to distinguish users
_gid24 hoursUsed to distinguish users
_gat1 minuteUsed to throttle request rate. If Google Analytics is deployed via Google Tag Manager, this cookie will be named _dc_gtm_<property-id>.
AMP_TOKEN30 seconds to 1 yearContains a token that can be used to retrieve client ID from AMP Client ID servce. Other possible values include opt-out, inflight request or an error retriving a client ID from Amp Client ID service
_gac_<property-id>90 daysContains campaign related information for the user. If you have linked your Google Analytics and Google Ads accounts, Google Ads website conversoin tages will read this cooke unless you opt-out
drt1 dayUsed to connect LinkedIn analytics with Google Analytics
_hs_opt_out13 monthsThis cookie is used by the opt-in privacy policy to remember not to ask the visitor to accept cookies again. This cookie is set when you give visitors the choice to opt out of cookies.
__hs_do_not_track13 monthsThis cookie can be set to prevent the tracking code from sending any information to HubSpot. Setting this cookie is different from opting out of cookies, as it still allows anonymized information to be sent to HubSpot.
hs_ab_testBrowsing sessionThis cookie is used to consistently serve visitors the same version of an A/B test page they’ve seen before.
<id>_keyBrowsing sessionWhen visiting a password-protected page, this cookie is set so future visits to the page from the same browser do not require login again. The cookie name is unique for each password-protected page.
hs-messages-is-open30 minutesThis cookie is used to determine and save whether the chat widget is open for future visits. It resets to re-close the widget after 30 minutes of inactivity.
(Expires: 30 minutes)
hs-messages-hide-welcome-message1 dayThis cookie is used to prevent the welcome message from appearing again for one day after it is dismissed.
__hsmem1 yearThis cookie is set when visitors log in to a HubSpot-hosted site.
__hstc13 monthsThe main cookie for tracking visitors. It contains the domain, utk, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).
hubspotutk13 monthsThis cookie is used to keep track of a visitor’s identity. This cookie is passed to HubSpot on form submission and used when deduplicating contacts.
__hssc30 minutesThis cookie keeps track of sessions. This is used to determine if HubSpot should increment the session number and timestamps in the __hstc cookie. It contains the domain, viewCount (increments each pageView in a session), and session start timestamp.
__hssrcBrowsing sessionWhenever HubSpot changes the session cookie, this cookie is also set to determine if the visitor has restarted their browser. If this cookie does not exist when HubSpot manages cookies, it is considered a new session.
messagesUtk13 monthsThis cookie is used to recognize visitors who chat with you via the messages tool. If the visitor leaves your site before they’re added as a contact, they will have this cookie associated with their browser. If you chat with a visitor who later returns to your site in the same cookied browser, the messages tool will load their conversation history.

Legal Basis for Processing Personal Information (EEA Users Only)

Users within the European Economic Area (EEA) have additional rights and protections under the law. Most of these rights are enumerated in Section 13 below, “User Rights.” EEA Users also have the right to more detail surrounding the legal justification for collecting and processing their data. Requests for more information on Roast’s legal basis for processing personal information can be submitted via the Contact Us page on the Roast website.

    1. Legitimate Interests

      KTI’s legal basis for collecting and using personal information is based on its legitimate interest in providing its service to the User, in all cases except those highlighted in Section 4, Subsection b, “Legal Basis for Processing Outside of Legitimate Interests,” and where such interests are overridden by data protection interests or fundamental rights and freedoms. Additional information about why KTI processes each category of data can be found in Section 3 above, “Collected Information.” Legitimate interests include:

      1. Providing detailed and high-quality Survey data to building managers, architects, researchers, and other interested parties.

      2. Providing a satisfying and customized Survey experience to Owners, Administrators, and Participants.

      3. Developing and improving Roast.

    2. Legal Basis for Processing Outside of Legitimate Interests

      Some Owner data is collected because of KTI’s contractual obligation with Owners to provide service. Specifically, Roast requires Owners to provide an email address used to register a Roast account. The email address provided is the only method KTI uses to communicate account updates, password recovery, and general notifications. Owners must also provide KTI an address and phone number for the purpose of billing invoices for the cost of Roast.

      In some situations, including a breach of Roast’s databases, KTI has a legal obligation to investigate its data or to share certain data with authorities for investigation purposes. KTI will not share any information not required to comply with applicable laws.

Shared Information

KTI does not share information with any third party, nor does it allow any third party to gather data from the Roast website, with the following exceptions:

  1. General Sharing

    KTI will share information with its contractors, service providers, and other third parties providing data processing services and with whom the sharing of personal information is necessary to operate Roast. These third parties include Roast’s database host and email notification service. KTI also enters into data processing agreements with third party data processors for purposes of compliance with legal standards including the General Data Protection Regulation (GDPR), and to maintain best practices in privacy and security standards. By agreeing to Roast’s Terms of Use, Users authorize KTI to engage these processors.

    KTI will also share information as required by law in order to comply with any court order, subpoena, or other law or legal process when such a disclosure is necessary to investigate fraud, respond to a government or regulatory request, or protect KTI’s rights, User safety, or the safety of others.

    KTI shares aggregated, anonymous data such as total sales and total Users with its parent company, KieranTimberlake, to inform business decisions. This data does not include information specific to a particular Project or User.

    In the event of a merger, sale, or transfer of some or all of Roast’s assets, KTI will share information with a buyer or other successor.

    KTI retains liability in cases of onward transfers to third parties.

  2. Sharing Names and Email Addresses
    1. Sharing Owners’ Names and Emails

      The name and email address associated with an Owner’s account are shared with the Administrators and Participants that the Owner has invited to Roast. This information improves User experience, increases response rates, and informs Users how their data was obtained.

    2. Sharing Administrators’ Names and Emails

      The name and email address associated with an Administrator’s account are shared with other Administrators and Participants that the Administrator has invited to Roast. This information improves User experience, increases response rates, and informs Users how their data was obtained. Administrators’ names and email addresses are also shared with the Owner and other Administrators assigned to that Project, for convenience when building Projects and Surveys.

    3. Sharing Participants’ Names and Emails

      The name and email address associated with a Participant’s account are shared with the Owner and Administrators tied to the Roast Survey they join. Names are provided for Owners’ and Administrators’ convenience when building Projects and Surveys.

  3. Sharing Survey Responses

    In the event that a User responds to a Survey, their response, including location, outfit information, and Survey answers, is accessible to the Owner and any Administrators tied to the Project. This Survey data is anonymized in the browser Results page, but when an Owner or Administrator downloads the full response data for analysis, a two-step process makes it possible for the Owner or Administrator to associate the participant emails with a specific response. This feature allows Owners or Administrators to contact participants to try to resolve specific discomforts and better manage their buildings. Requests for more information regarding Owner and Administrator access to Survey data, Users can contact us via the Contact Us page on the Roast website.

Security

Whenever possible, Roast uses the most up to date and secure methods for data access and employs the most responsible and well-equipped vendors for data storage. Users are also encouraged to deploy their own data security tools when transmitting personal data, including but not limited to Internet firewalls and secure email servers. In the event of a security breach, KTI will notify affected Users so that they can take appropriate protective steps. KTI’s breach notification procedures are consistent with its obligations under applicable country level, state and federal laws and regulations, including the GDPR. Requests for more information on Roast’s security practices can be submitted via the Contact Us page on the Roast website.

Cookies

Roast uses cookies only where necessary to allow Users to remain logged in to Roast throughout their session of Roast usage. Checking the box labeled “Remember me” upon login will enable these authentication cookies to remain on a User’s device for two weeks before expiring and removing themselves. Users who do not check “Remember me” will have their cookies removed after a 24-hour period, or after the User closes the browser they used to access Roast, whichever occurs first. Because these cookies are necessary for the functioning of Roast and have no application outside of Roast, their placement is not impacted by Do Not Track browser settings.

Data Retention

How long Roast stores the User data described in Section 3, “Collected Information” depends on the User’s role.

Users can terminate their account upon request via the Contact Us page on the Roast website. Requests for termination must include the first and last name and email address associated with the Roast account. Following receipt of a termination request, KTI will delete the account in no less than 14 business days. If an Owner requests that their account be deleted in this way, all data solely associated with the Projects they owned, such as floorplans and Survey data, will be deleted as well.

KTI will delete all account data, such as first and last name, email and outfit data, connected with an account at the time of account deletion, unless that information is required to be kept be local, state, federal or country laws, or that data is being used purely for statistical purposes.

  1. Owner

    All Owner account data, such as first and last name, email and outfit data, as well as the data associated with Projects belonging to the Owner, such as floorplans and response data, is stored for the entirety of the subscription period. Following account expiration, this data is archived on Roast servers for a period of 6 months. During this 6-month expiration grace period, Owners can’t access this data, but it will be restored once the subscription is renewed. Following the 6-month expiration grace period, this data is deleted from Roast servers and will no longer be accessible even after subscription renewal.

    Owners may choose to delete any Projects or Surveys under their control at any time during their subscription. When a Project or Survey is deleted, all associated Project or Survey data is deleted, such as Survey responses or Project floorplans.

  2. Administrator

    Account data for Administrators, such as their first and last name, email and outfit data, is held on the Roast database as long as they remain an active User on Roast. Account information is deleted after 6 months of inactivity, or when the Administrator requests their account be deleted.

    Administrators’ Survey response data is retained at the discretion of the Owner, under the rules outlined in Section 8, Subsection a. If an Administrator would like their response data deleted sooner, they are responsible for contacting the Owner regarding this request.

    Administrators may choose to delete Surveys under their control at any time during their subscription. When a Survey is deleted, all associated Survey data is deleted, such as Survey responses.

  3. Participant

    Account data for Participants, such as their first and last name, email and outfit data, is held on the Roast database as long as they remain an active User on Roast. Account information is deleted after 6 months of inactivity, or when the Participant requests their account be deleted.

    Participants’ Survey response data is retained at the discretion of the Owner, under the rules outlined in Section 8, Subsection a. If a Participant would like their response data deleted sooner, they are responsible for contacting the Owner regarding this request.

Minors

Roast is not intended for and may not be used by “Minors,” defined as children under the age of 13, unless otherwise determined by the laws of their residence. Roast does not knowingly collect personal information from Minors or allow them to register. If KTI becomes aware that Roast has been used to collect personal data from a Minor or Minors, KTI will delete this information without notice. Notifications of Roast usage by a Minor can be submitted via the Contact Us page on the Roast website.

Privacy Policy Changes

As KTI’s services and the legal landscape evolve, changes to this Privacy Policy may become necessary. The most current version will always be available on the Roast website. In the event that Privacy Policy changes will have a significant impact to Users, as determined by KTI, Users will receive an email alert notifying them of the changes. Because Roast access is contingent upon agreement to the Privacy Policy, Users that do not agree to any of the revisions must discontinue using Roast.

Commitment to Comply with the Privacy Shield Framework

KTI complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States. KTI has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/

Data Control

Roast’s uploaded and processed data is controlled by either Owners or KTI, depending on the data type.

  1. Response Data

    Roast collects and stores information provided by Users, including but not limited to: Survey responses, location data as reported on the Survey floorplan, outfit details, and the time at which responses were submitted. Once provided, this information is controlled by the Owner and any Administrators assigned to the User’s Project.

  2. Owner Contact Information

    Roast collects and stores information provided by Owners, including the Owner’s contact information. Once provided, this information is controlled by KTI.

  3. Administrator and Participant Contact Information

    Owners or Administrators provide Roast with User email addresses that allow Users to join a Project or Survey. By agreeing to Roast’s Terms of Use, Owners and Administrators confirm they have all requisite rights and permissions to generate, access, and use the data associated with their Surveys and Projects, including Administrator and Participant email addresses. Contact information is controlled by the Owner and any Administrators the Owner assigns to their Project.

  4. Account Information

    All other account information, including but not limited to, names, notification settings, passwords, billing information, and usage data, is controlled by KTI.

User Rights

  1. User Rights Overview

    This section provides an overview of User rights. Some Users, including those within the European Economic Area, as well as Swiss individuals, have additional rights detailed in Section 13, subsection b, “Rights for EU, UK, and Swiss Individuals,” that they can exercise by contacting their data controller through the mechanisms provided in Section 13, Subsection c, “Exercising User Rights.”

    User rights include:

    1. Data access rights: the right to obtain and view their User data processed by Roast.

    2. Right to restrict processing: the right to ask that their User data be held without further processing.

    3. Right of rectification: the right to request that incorrect data about them be corrected.

    4. Right to erasure/right to be forgotten: the right to request that their User data be deleted.

    5. Right to object: the right to object to the legal basis for processing their User data.

    6. Right to data portability: the right to obtain their User data in a format that is usable in other applications.

    These rights may be subject to exceptions or limitations in very select circumstances. KTI will notify Users of such circumstances in its response to requests to exercise rights.

  2. Rights for EU, UK, and Swiss Individuals

    EU, UK, and Swiss individuals are granted rights in accordance with Privacy Shield principles. These principles are: notice; choice (the opportunity to opt out of disclosure of their personal information to a third party, or the use of their personal information for purposes materially different from the purposes for which is was originally collected); accountability for onward transfer; security; data integrity and purpose limitation; access (the right to know what personal information an organization holds, and to be able to correct, amend, or delete that information in appropriate cases); and recourse, enforcement and liability. Rights pertaining to these principles are detailed in the Privacy Shield Framework. KTI is committed to subjecting all personal information and data received from EU, UK, and Swiss individuals to the Privacy Shield Framework’s applicable principles.

    1. Owners

      Owners should submit a request via the Contact Us page on the Roast website or write to KTI at:

      841 North American Street, Philadelphia, PA 19123, USA

      KTI will respond to requests to exercise these rights within 30 days of their receipt. Owners can also view and change their name, notification settings, password, and outfit information by visiting their Roast profile page.

    2. Administrators

      To exercise their rights regarding response data or contact information, Administrators should contact the Owner of the Survey they are administering, since the Owner is the controller of their User data. More information on data controllers is available in Section 12, “Data Control”.

      Administrators having difficulty contacting their Survey Owner or wishing to exercise their rights regarding other data types should submit a request via the Contact Us page on the Roast website, or write to KTI at:

      841 North American Street, Philadelphia, PA 19123, USA

      For requests regarding data that KTI is the controller of, KTI will respond to requests to exercise these rights within 30 days of their receipt. For requests regarding data that Owners control, KTI will do its best to facilitate communication in a quick and satisfactory manner. Administrators can also view and change their name, notification settings, password, and outfit information by visiting their Roast profile page.

    3. Participants

      To exercise their rights regarding response data or contact information, Participants should contact the Owner of the Survey they are administering, since the Owner is the controller of their User data. More information on data controllers is available in Section 12, “Data Control”.

      Participants having difficulty contacting their Survey Owner or wishing to exercise their rights regarding other data types should submit a request via the Contact Us page on the Roast website, or write to KTI at:

      841 North American Street, Philadelphia, PA 19123, USA

      For requests regarding data that KTI is the controller of, KTI will respond to requests to exercise these rights within 30 days of their receipt. For requests regarding data that Owners control, KTI will do its best to facilitate communication in a quick and satisfactory manner. Participants can also view and change their name, notification settings, password, and outfit information by visiting their Roast profile page.

       

      Exercising User Rights

      To exercise their rights, Users will need to contact the controller of their data.

    4. Site Visitors

      To exercise their rights regarding response data or contact information, or to withdraw consent to the use of Cookies at any time, Site Visitors should submit a request via the Contact Us page on the Roast website, or write to KTI at:

      841 North American Street
      Philadelphia, PA 19123
      USA

      For requests regarding data that KTI is the controller of, KTI will respond to requests to exercise these rights within 30 days of their receipt. For requests regarding data that Owners control, KTI will do its best to facilitate communication in a quick and satisfactory manner.

  3. User Rights Compliance

    KTI will resolve complaints about Roast’s collection or use of User information. European Union, UK, and Swiss individuals with inquiries or complaints regarding Roast’s Privacy Policy should submit a request via the Contact Us page on the Roast website, or write to KTI at:

    841 North American Street, Philadelphia, PA 19123, USA

    KTI will cooperate with the panel established by the European Union (EU) data protection authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner, and it will also comply with the advice given by the panel and Commissioner regarding data transferred from the EU and Switzerland.

    The DPA of the nation in which a User is located will serve as the lead supervisory authority for a User’s complaint, as per the guidelines released by the Article 29 Data Protection Working Party of the European Commission.

    Under certain conditions in which KTI cannot adequately address the complaint, users have the right to invoke binding arbitration.

    KTI is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC).