We are Tray.ai, Inc. (“we”, “us” or “our”) and we provide a platform that allows you to easily automate complex processes in your organization (“Services”). Whilst we are based in the United States, we also have a wholly owned UK subsidiary (Plan.nr Ltd).
We put great efforts in making sure that we secure the personally identifiable information related to you (“Personal Information”) and use it properly. This privacy policy will tell you how we use and protect Personal Information when you interact with us and use our website or platform. Hence, we process Personal Information subject to the terms of this policy.
This privacy policy is an integral part of our Terms and Conditions or, if applicable, of any other Services agreement entered into between you (or the entity that you are acting on behalf) and us.
The Summary of this policy will give you a quick and clear view of our practices. Please take the time to read our full privacy policy.
Overview of our Services – Our Services provide our customers a platform which can easily automate complex processes in your organization.
What type of Personal Information do we collect? – We collect most of the Personal Information related to you through the registration and login processes to our Services and your engagement with our website.
The purposes of use of the Personal Information – We collect the Personal Information related to you, for various business purposes as further detailed in ‘The purposes of use of the Personal Information’ section of this privacy policy.
Sharing Personal Information with third parties – We share information with our service providers as necessary to facilitate our business. We will share information when we change our corporate structure, and we will share the information with our affiliated entity.
Cross-border transfer – We use cloud-based services to store and process data in the United States, European Union, United Kingdom and Australia and will store them at additional sites, at our discretion, in accordance with applicable laws.
How do we secure the Personal Information? – We implement physical, technical and organizational measures to secure your Personal Information from loss, misuse, unauthorized access or disclosure, alteration or destruction.
Aggregated and analytical information - Aggregated data is not identifiable. We use standard analytical tools for legitimate business purposes.
What are your choices? – You may opt-out of our mailing lists and terminate your use of our website. Termination of our Services is subject to the terms of the customer’s Services agreement with us.
Accessing Personal Information related to you – At any time you can request access to Personal Information related to you.
Specific provision for EEA residents – If we process Personal Information related to you when you are in the EEA, further terms apply to our processing in relation to your rights as a data subject under EEA data protection laws.
Specific provision for California residents – If you are a California resident, you are entitled to specific privacy rights.
Data retention – We retain different types of Personal Information for different periods, depending on the purposes for processing the information, our legitimate business purposes as well as pursuant to legal requirements.
No AI/ML Training with Google OAuth Data – We do not use data authenticated with our Google Workspaces OAuth application, service or API to train any generalized AI or ML models. This is as required and agreed to in partnership with Google. For further information about how we use consume data for AI or model training please refer to this: https://tray.ai/documentation/tray-uac/merlin-ai/how-does-merlin-ai-use-my-data/
Changes to this privacy policy – We will update this privacy policy from time to time after giving proper notice.
Contact us – Please contact us at: privacy@tray.ai, or at our offices located at Tray.ai, Inc. 25 Stillman Street, San Francisco, CA 94107, United States.
Our Services provide our “Customers”, i.e. entities which engage in a contractual relationship for the provision of our Services, an online platform through which organizations can easily automate complex processes, and connect their entire cloud stack.
To the extent that our Customers have provided us with personal contact details, rather than corporate business contact information, then such personal contact details will be collected by us. As such, the Personal Information we collect is used for the business relationships with our Customers, and service providers which engage with us for the provision of Services, goods or assets (“Service Provider”).
You provide most of the Personal Information through the registration and login processes to our Services and through the submission of your details on our website.
The Services and our website are not directed for children under 18 years of age and we do not intentionally or knowingly collect Personal Information on such users.
Website visitors
When you contact us, for example to get a demo of our Services or to subscribe to our blog, or for any other reason, we will receive and process any Personal Information that you provide to us, such as your name, phone number and email address. In addition, we will collect any Personal Information that you will provide to us while communicating with us, for example via our messaging platform.
We use cookies and similar tracking technologies to make it easier for you to log-in and to facilitate the website and Services activities, to analyze performance and marketing activities, and to personalize your experience. Please see which cookies we place and why at https://tray.ai/cookies. We also use standard analytics tools as described in the Section titled “Aggregated and analytical information” of this privacy policy.
Tray platform users
If you have expressed an interest in our Services, or you have signed up for an account on behalf of a Customer, we will use the contact information you provided, such as your name, phone number and email address, to better understand how we can tailor the Services to you and better inform our sales team.
To the extent that a Customer, or anyone on its behalf, has provided us with personal contact details, rather than corporate business contact information (e.g., office@organization.com), then the aforementioned information will constitute Personal Information of such user.
Note, that if you create an account with us, we will need additional Personal Information to ensure the security of your account. You will be asked to create a password which will not be viewable by us or provide an access token which will not be usable by us.
In addition, we will collect any information that you provide whilst building workflows in the course of using our Services, answering our surveys and providing us with feedback regarding our Services.
We will use your phone number or your email address to send marketing emails in order to contact you about the use of our Services or to promote services which we feel you will be interested in. If you communicate with us, phone calls may be recorded for staff training or sales quality purposes.
Tray’s job candidates
If you are sending us a job application or job inquiry we will ask you to provide us with Personal Information about yourself so we can evaluate your application. If this information is not provided, our ability to consider you as a candidate may be limited. All information is provided on a voluntary basis and you determine the extent of information that you provide to us. The kind of information we collect from job candidates can include:
Your first and last name, email address, a home, postal or other physical address, other contact information, title, occupation, industry, personal interests, CV, work permit or visa information (where applicable), educational and employment history, referrals and references, job preferences, and other information you provide us with.
We use the Personal Information we collect for all of the following purposes:
If you are a job applicant, we use the Personal Information collected to evaluate and assess your job application and suitability for the relevant position, as well as other existing or future job openings pursuant to your consent, and to further contact you if the application process is successful.
We will process, use, retain and share Personal Information solely for the purposes described in this privacy policy and only when reasonably necessary and proportionate to achieve such purposes for which such information was collected and processed.
To the extent relevant and possible, we will make efforts to maintain the Personal Information accurate, complete and up to date.
Like many companies, we use a number of Service Providers to help us provide the Services. Whilst these Services will require Personal Information related to you to be disclosed, we only allow these Service Providers to use it as necessary to fulfill the purposes for collecting the Personal Information under this privacy policy and under strict conditions.
For example, if you are our user or a website visitor, your contact information will be shared with our Service Providers for the purpose of finding additional personal data relating to you (enrichment) to aid our sales team or to provide a more tailored service. In addition, we will use customer support and analytics services like Intercom and Segment to provide you with customer support and learn how you use our Services.
Where we believe, under our discretion, that an alternative service is more suited for the needs of your entity, we will share your contact information with our authorized partners based on your consent. The partners will reach out to you and will offer you either our offering or a 3rd party offering.
Furthermore, we share Personal Information with our corporate affiliate (Plan.nr Ltd.) that is our UK subsidiary, for the purpose of operating our Services.
We will disclose Personal Information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. In addition, we would disclose or use users' Personal Information to defend or enforce our legal rights and in accordance with any applicable law.
Additionally, a merger, acquisition or any other structural change will require us to transfer your Personal Information to another entity, as part of the structural change, provided that the receiving entity will comply with this policy.
We are a global company with a headquarter in the US. We therefore process Personal Information in the US.
When processing Personal Data, we do so under the strict safeguards mentioned on our security page at https://tray.ai/trust.
When we transfer Personal Information to any of our service providers or partners in the US or a third country, we ensure that there is a lawful basis for the transfer (such as Standard Contractual Clauses as adopted by the European Commission, or a certification under the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework), in order to safeguard the transfer of Personal Information we collect from the European Economic Area, the United Kingdom (the "UK"), and Switzerland and to ensure that adequate protection for Personal Information relating to you is provided as required by applicable law.
Tray complies with the principles of the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”) as set forth by the U.S. Department of Commerce. Tray has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (“EU-U.S. DPF Principles”) with regard to the processing of Personal Information received from the European Union in reliance on the EU-U.S. DPF, and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Tray has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles with regard to the processing of Personal Information received from Switzerland in reliance on the Swiss-U.S. DPF (the “Swiss-U.S. DPF Principles”, and together with the EU-U.S. DPF Principles, the “DPF Principles”). If there is any conflict between the terms in this Policy and the DPF Principles, the DPF Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov.
Under the DPF Principles we are responsible for the processing of Personal Information we receive and, subsequently, for the Personal Information that we then transfer to a third-party service provider acting as an agent on our behalf, if the Personal Information is processed in a manner inconsistent with the Data Privacy Framework.
If you are located in the European Economic Area, the United Kingdom, or Switzerland you may seek confirmation regarding whether Tray is processing Personal Information about you, request access to Personal Information, and ask that we correct, amend or delete your Personal Information where it is inaccurate or has been processed in violation of the DPF Principles. Where otherwise permitted by applicable law, you may use any of the methods set out in this privacy policy to request access to, receive, object to processing, restrict processing, seek rectification, or request erasure of Personal Information relating to you held by Tray.
Tray may be required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
If you have any questions, concerns, or complaints about our compliance with the DPF Principles, we encourage you to contact us under the contact details set forth in the section titled “Additional Information and Contact Details” below.
If you have an unresolved complaint regarding our handling of Personal Information we received in reliance on the Data Privacy Framework, please contact JAMS, our U.S.-based third-party dispute resolution provider (free of charge), at https://www.jamsadr.com/DPF-Dispute-Resolution.
Finally, if you have a complaint that we have violated the DPF Principles that has not been resolved by other means, you may have the ability to invoke binding arbitration as outlined more fully on the Data Privacy Framework website.
Tray is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).
We understand the importance of the Personal Information we collect from our Customers and sensitivity of what our Customers may want to use our platform for. We therefore take maximum precautions and provide full transparency of how we do this. See our security page at https://tray.ai/trust for information on how we safeguard your data and the compliance certifications we maintain.
Among other things, we maintain the confidentiality of Personal Information related to you and we take reasonable steps to ensure that the Personal Information is accurate, complete, current and reliable for its intended use. We have put in place appropriate physical, technical and organizational controls to safeguard and secure Personal Information related to you from loss, misuse, unauthorized access or disclosure, alteration or destruction.
These measures provide industry standard security. However, although we make efforts to protect your privacy, we cannot guarantee that the Services or our website will be immune from cyber-attacks, malicious activities, malfunctions, honest mistakes or other types of abuse and misuse.
We use cookies and similar tracking technologies in order to operate and improve our Services and learn about how you and other users use our Services. We share anonymous, statistical or aggregated extracts of such information with our partners for our legitimate business purposes. This has no effect on your privacy, because there is no reasonable way to extract data from the aggregated information that we or others can associate specifically to you.
More information about the cookies and other tracking technologies that we are using can be found at https://tray.ai/cookies.
At any time, you may opt-out of our mailing list by contacting us. You may request that the Personal Information related to you will not be shared with our affiliates and Service Providers (other than those acting as our sub-processors). In the event that we intend to use the Personal Information related to you for a purpose that is materially different from the purpose(s) for which it was originally collected, we will inform you about this and will not use Personal Information related to you for such different purpose unless authorized by you.
You can exercise your choices by contacting us at: privacy@tray.ai.
It may take up to ten (10) business days for your opt-out request to take effect. Please note that certain opt-out requests may require us to terminate your user account, for example, if transferring your Personal Information to a Service Provider is essential to provide the Services.
Termination of the Services is subject to the terms of the Customer’s Services agreement with us. At any time, you can stop using the website and ask that we delete your Personal Information. However, we may store and continue using or making available certain Personal Information related to you. For further information, please read the Data Retention section in this privacy policy.
Some web browsers offer a "Do Not Track" ("DNT") signal. A DNT signal is a HTTP header field indicating your preference for tracking your activities on the Services or through cross-site user tracking. Our Services and website do not respond to DNT signals.
If you find that the Personal Information that we keep about you is not accurate, complete or up to date, please provide us the necessary information to correct it.
At any time, you can contact us at: privacy@tray.ai and request to access the Personal Information that we keep about you. We will ask you to provide us certain credentials to make sure that you are who you claim to be and to the extent required under applicable law, will make good-faith efforts to locate the Personal Information that you request to access.
We will use judgment and due care to redact from the data which we will make available to you, Personal Information related to others.
The General Data Protection Regulation (“GDPR”), the UK General Data Protection Regulation (“UK GDPR”) and the Swiss Federal Act on Data Protection (“FADP”) provide residents of the EEA, UK or Switzerland (as applicable) specific rights regarding their Personal Information. If the GDPR, or the UK GDPR or the FADP applies to the processing of Personal Information related to you by us, then the terms listed in this section apply, in addition to your rights under this Privacy Notice.
We base our processing of Personal Information (which is equivalent to the relevant term under the GDPR – “Personal Data”) as a Data Controller on the following lawful grounds:
At any time, you can contact our privacy team at:
privacy@tray.ai and request to exercise your rights in accordance with the provisions provided by law:
If you exercise one (or more) of the above-mentioned rights, in accordance with the provisions under the law, you are entitled to request to be informed that third parties that hold Personal Information related to you, in accordance with this privacy policy, will act accordingly.
We do periodical assessments of our data processing and privacy practices, to make sure that we comply with this privacy policy, to update the privacy policy when needed, and to verify that the privacy policy is displayed properly and accessible.
We will look into your query and make good-faith efforts to resolve any existing or potential dispute with you. Note that when you send us a request to exercise your rights, we will need to reasonably authenticate your identity and location. We will ask you to provide us credentials to make sure that you are who you claim to be and will further ask you questions to understand the nature and scope of your request.
Where we process Personal Information as part of the Services, as a data processor of our users, we are committed to assist our data controllers in fulfilling the above mentioned rights under the GDPR.
If you have any concerns about the way we process Personal Information related to you, you are welcome to contact us at: privacy@tray.ai.
This section applies solely to users of our Services who reside in the State of California.
If you are a California resident, California Civil Code Section 1798.83 permits you to request in writing a list of the categories of personal data relating to third parties to which we have disclosed certain categories of personal data during the preceding year for the third parties’ direct marketing purposes. To make such a request, please contact us at: privacy@tray.ai.
In addition, as a California resident, the California Consumer Privacy Rights Act (“CPRA”) applies to you, therefore, the following information, rights and obligations also apply.
Below are details about the categories of Personal Information that we may have collected during the preceding twelve (12) months. The actual Personal Information that has been collected or disclosed within the following categories with respect to any particular California consumer in the last 12 months depends on the consumer’s particular interactions and relationship with us.
We obtain the categories of Personal Information listed above from the following categories of sources:
In the preceding twelve (12) months, we have used the categories of Personal Information that we have collected or received and we have disclosed it to the categories of third parties for the business purposes, as described above under the section titled “Sharing Personal Information with third parties”.
Your Rights as a California Resident (and other US States)
Exercising Your Rights
To exercise your rights under the CPRA as described above, please submit your request to us by sending an email to: privacy@tray.ai.
Only you or a person authorized to act on your behalf, can make a request related to your Personal Information. A request for access can be made by you only twice within a 12-months period.
We cannot respond to your request or provide you with the requested Personal Information if we cannot verify your identity or authority to make the request and confirm the Personal Information relates to you. We will only use the Personal Information provided in your request to verify your identity or authority to make the request. We will do our best to respond to your request within 45 days of its receipt. If we require more time (up to additional 45 days), we will inform you of the reason and extension period in writing.
Any disclosures that we provide will only cover the 12-month period preceding receipt of your request.
The response we provide will also explain the reasons for our inability to comply with your request, if applicable.
We do not charge a fee to process or respond to your request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will inform you of the reasons for such decision and provide you with a cost estimate before processing further your request.In the preceding twelve (12) months we have not sold, shared or disclosed Personal Information for consideration.
We do not use Personal Information for the purpose of automated decision-making.
We retain different types of Personal Information for different periods, depending on the purposes for processing such information, our legitimate business purposes as well as pursuant to legal requirements under the applicable laws.
We will maintain your contact details, to help us stay in contact with you. At any time before or after the termination of the Services, you can contact our privacy team at privacy@tray.ai and request to delete your contact details.
Note that we may retain your details without using them unless necessary and for the necessary period of time, for legal requirements and proceedings, and that we will not retain the Personal Information related to you for any longer than reasonably necessary for purposes described in this privacy policy.
We will keep aggregated non-identifiable information without limitation, and to the extent reasonable we will delete or de-identify potentially identifiable Personal Information, when we no longer need to process the information.
In any case, as long as you use the Services, we will keep information about you, unless applicable law requires us to delete it.
From time to time, we will need to update this privacy policy. If the updates have minor, if any, consequences, they will take effect immediately after we post a notice on the Services’ platform and/or our website, or after we send you the notice through email or through the Services. Substantial changes will be effective 30 days after we initially posted our notice. Changes to this privacy policy are effective as of the stated “last updated” date.
Continuing to use the Services or our website after the new privacy policy takes effect means that you agree to the new privacy policy. Note that if we need to adapt the privacy policy to legal requirements, the new privacy policy will become effective immediately or as required.
If you have any questions about this privacy policy or would like to contact us regarding your Personal Information, please contact us at: privacy@tray.ai.
If you have any concerns about the way we process Personal Information related to you, you are welcome to contact our representative in the EU at: privacy-eu-rep@tray.ai. We will look into your inquiry and make good-faith efforts to respond promptly.
This privacy policy was last updated on October 8, 2024.