THE FOLLOWING USER LICENSE AGREEMENT (this “Agreement“) governs your use of the software and services provided by Hemmat Interactive Inc. (“Hemmat“) known as Thyme.org (“Thyme“). This is a legal agreement between you and Hemmat and incorporates Hemmat’s Privacy Policy, which can be found at www.thyme.org/privacy and the attached Exhibits. By registering your use of the Service (as defined below), you accept to be bound to the terms of this Agreement.
1. Definitions
(a) “Administrator” shall mean a Subscriber (as defined in Section 1(i)) with authority to designate additional Authorized Users and/or Administrators, and commit the Subscriber to additional services from Hemmat.
(b) “Agreement” shall mean this entire User License Agreement, including the Privacy Policy and the attached Exhibits:
- Exhibit A — Hemmat Service Level Commitments and Support Services
- Exhibit B — Hemmat Data Protection Addendum for GDPR Compliance
- Exhibit C — Hemmat Authorized Subprocesses
- Exhibit D — Hemmat Legal Service and Notice Provisions
- Exhibit E — Hemmat Privacy Policy
(c) “Authorized User” shall mean an individual subscriber or the partners, members, employees, temporary employees, and independent contractors of an organization with a subscription to the Service who have been added to the account as users.
(d) “Confidential Information” shall mean the Content (as defined in Section 1(e)) and any information, technical data, or know-how considered proprietary or confidential by either party to this Agreement including, but not limited to, either party’s research, services, inventions, processes, specifications, designs, drawings, diagrams, concepts, marketing, techniques, documentation, source code, customer information, personally identifiable information, pricing information, procedures, menu concepts, business and marketing plans or strategies, financial information, and business opportunities disclosed by either party before or after the Effective Date of this Agreement, either directly or indirectly in any form whatsoever, including in writing, orally, machine-readable form or through access to either party’s premises.
(e) “Content” shall mean any information you upload or post to the Service and any information provided by you to Hemmat in connection with the Service, including, without limitation, information about your Authorized Users or Registered Clients, as defined in Section 1(g).
(f) “Primary Subscriber” shall mean the Subscriber who initiated the Services offered by Hemmat and is assumed by Hemmat to have the sole authority to administer the subscription.
(g) “Registered Client” means an individual who has been invited to use the client-facing features of the Service in a limited capacity as a client of an Authorized User.
(h) “Service” shall mean any and all software or services provided by Hemmat, including but not limited to Thyme, software that operates in conjunction with Clio customer relationship management software and Microsoft 365 among other software. The Service does not include Clio or Microsoft 365, which is a separate software not included in this Agreement. Subscriber must be a subscriber of Clio and Microsoft 365 in order to use the Service.
(i) “Subscriber” shall refer to the purchaser of the Services provided by Hemmat and shall also include any present or former agent, representative, independent contractor, employee, servant, attorney and any entity or person who had authority to act on your behalf.
(j) “Security Emergency” shall mean a violation by Subscriber of this Agreement that (a) could disrupt (i) Hemmat’s provision of the Service; (ii) the business of other subscribers to the Service; (iii) the network or servers used to provide the Service; or (b) provides unauthorized third party access to the Service.
2. Limited License & Use of the Service
2.1 Subscriber is granted a non-exclusive, non-transferable, limited license to access and use the Service.
2.2 Hemmat does not review or pre-screen the Content and Hemmat claims no intellectual property rights with respect to the Content.
2.3 Authorized Users agree not to reproduce, duplicate, copy, sell, resell or exploit access to the Service, use of the Service, or any portion of the Service, including, but not limited to the HTML, or any visual design elements without the express written permission from Hemmat.
2.4 Authorized Users agree not to modify, reverse engineer, adapt or otherwise tamper with the Service or modify another website so as to falsely imply that it is associated with the Service, Hemmat, or any other software or service provided by Hemmat.
2.5 Authorized Users agree that they will not knowingly use the Service in any manner which may infringe copyright or intellectual property rights or in any manner which is unlawful, offensive, threatening, libelous, defamatory, pornographic, obscene or in violation of the terms of this Agreement.
2.6 Authorized Users agree that they will not knowingly use the Service to upload, post, host, or transmit unsolicited bulk email “spam”, short message service “SMS” messages, viruses, self-replicating computer programs “worms” or any code of a destructive or malicious nature.
2.7 Except for the non-exclusive license granted pursuant to this Agreement, Subscriber acknowledges and agrees that all ownership, license, intellectual property and other rights and interests in and to the Service shall remain solely with Hemmat.
2.8 Authorized Users who configure the Service to share or make available certain Content to the public, are deemed to acknowledge and agree that everyone will have access to the Content (“Public Content“). It is the responsibility of the Authorized User to determine if the Service being shared is appropriate for each Registered User. Hemmat reserves the right, at any time, in its sole discretion, to take any action deemed necessary with respect to Public Content that Hemmat believes violates the terms of this Agreement, including, but not limited to, removal of such Public Content.
2.9 Hemmat reserves the right at any time, and from time to time, to modify or discontinue, temporarily or permanently, any feature associated with the Service, with or without notice, except that Hemmat shall provide Subscriber with 30-days notice of any modification that materially reduces the functionality of the Service. Continued use of the Service following any modification constitutes Subscriber’s acceptance of the modification.
2.10 Hemmat reserves the right to temporarily suspend access to the Service for operational purposes, including, but not limited to, maintenance, repairs or installation of upgrades, and will endeavor to provide no less than two business days notice prior to any such suspension. Such notice shall be provided to you in advance by way of notification within the Service, email or other notification method deemed appropriate by Hemmat. Further, Hemmat shall endeavor to confine planned operational suspensions with a best effort to minimize disruption to the Subscriber, but reserves the ability to temporarily suspend operations without notice at any time to complete necessary repairs. In the event of a temporary suspension, Hemmat will use the same notification methods listed in this section to provide updates as to the nature and duration of any temporary suspension.
2.11 Hemmat stores all Content on redundant storage servers. Subscriber may elect to, at a regular interval, replicate all Content associated with the subscription to a third party storage service (“Escrow Agent“). If there is replicated content, the replicated Content (“Escrowed Data“) will be held under the terms of a separate agreement exclusively between Subscriber and Escrow Agent (“Escrow Agreement“). The Subscriber may also elect to replicate all Content associated with the subscription on its own storage device.
2.12 Subscriber grants to Hemmat a non-exclusive, royalty-free right during Subscriber’s use of the Service, to use the Confidential Information for the sole purpose of performing Hemmat’s obligations under this Agreement in accordance with the terms of this Agreement. Such rights shall include permission for Hemmat to generate and publish aggregate anonymized reports on system usage and Content trends and type, provided they do not conflict with Section 4.1.
2.13 Hemmat uses one code-base for all jurisdictions. Subscriber is required, using settings available within the Service, to configure the Service for its own jurisdiction and to verify that the settings meet the Subscriber’s requirements. Hemmat will highlight known features that may require Subscriber’s review.
3. Access to the Service
3.1 Subscriber is only permitted to access and use the Service if they are an Authorized User or a Registered Client. Authorized Users are required to provide their full legal name, a valid email address, and any other information reasonably requested by the Service.
3.2 Each Authorized User will be provided with a unique identifier to access and use the Service (the “Username“). The Username shall only be used by the Authorized User to whom it is assigned, and shall not be shared with, or used by any other person, including other Authorized Users.
3.3 The initial Administrator shall be the Primary Subscriber with authority to administer the subscription and designate additional Authorized Users and/or Administrators. Each subscription may designate multiple Authorized Users as Administrator. Any Administrator shall be deemed to have the authority to manage the subscription and any Authorized Users. The Administrator will deactivate an active Username if the Administrator wishes to terminate access to the Service for any Authorized User.
3.4 Administrators are responsible for all use of the Service by Authorized Users on the list of active Authorized Users associated with their subscription to the Service.
3.5 As between Hemmat and the Subscriber, any Content uploaded or posted to the Service remains the property of the Subscriber. Upon Cancellation or Termination of Service as discussed in Section 10 below, Hemmat shall only be responsible for the return of Content directly to the Administrator or a designated Authorized User in the event that the Administrator is unable to be reached.
3.6 All access to and use of the Service via mechanical, programmatic, robotic, scripted or any other automated means not provided as part of the Service is strictly prohibited.
3.7 Authorized Users are permitted to access and use the Service using an Application Program Interface (“API“) subject to the following conditions:
(a) any use of the Service using an API, including use of an API through a third party product that accesses and uses the Service, is governed by these Terms of Service;
(b) Hemmat shall not be liable for any direct, indirect, incidental, special, consequential or exemplary damages, including but not limited to, damages for loss of profits, goodwill, use, data or other intangible losses (even if Hemmat has been advised of the possibility of such damages), resulting from any use of an API or third party products that access and use the Service via an API;
(c) Excessive use of the Service using an API may result in temporary or permanent suspension of access to the Service via an API. Hemmat, in its sole discretion, will determine excessive use of the Service via an API, and will make a reasonable attempt to warn the Authorized User prior to suspension; and
(d) Hemmat reserves the right at any time to modify or discontinue, temporarily or permanently, access and use of the Service via an API, with or without notice.
4. Confidentiality
4.1 Hemmat and Subscriber agree to treat all Confidential Information as confidential and not to use or disclose such Confidential Information except as necessary to perform its obligations under this Agreement.
4.2 Hemmat and any third party vendors and hosting partners it utilizes to provide the Service shall hold Content in strict confidence and shall not use or disclose Content except (a) as required to perform their obligations under this Agreement; (b) in compliance with Section 7 of this Agreement, or (c) as otherwise authorized by you in writing.
5. Security and Access
5.1 Hemmat is responsible for providing a secure method of authentication and accessing its Service. Hemmat will provide mechanisms that:
(a) allow for user password management;
(b) transmit passwords in a secure format; and
(c) protect passwords entered for purposes of gaining access to the Service by utilizing code that follows password management best practices.
5.2 Subscriber will be responsible for protecting the security of usernames and passwords, or any other codes associated with the Service, and for the accuracy and adequacy of personal information provided to the Service.
5.3 Subscriber will implement policies and procedures to prevent unauthorized use of usernames and passwords, and will promptly notify Hemmat upon suspicion that a username and password has been lost, stolen, compromised, or misused.
5.4 At all times, Hemmat, and any third party vendors and hosting partners it utilizes to provide the Service, will:
(a) use information security best practices for transmitting and storing your Content, adhering to industry standards;
(b) employ information security best practices with respect to network security techniques, including, but not limited to, firewalls, intrusion detection, and authentication protocols, vulnerability and patch management;
(c) ensure its host facilities maintain industry standards for security and privacy; and
(d) Intentionally Omitted.
5.5 Hemmat shall report to Subscriber, with all relevant details (except those which could prejudice the security of data uploaded by other customers), any event that Hemmat reasonably believes represents unauthorized access to, disclosure of, use of, or damage to Content (a “Security Breach“). Hemmat shall make such report within seventy-two (72) hours after learning of the Security Breach.
5.6 In the event of a Security Breach, Hemmat shall (a) cooperate with Subscriber to identify the cause of the breach and to identify any affected Content; (b) assist and cooperate with Subscriber in investigating and preventing the recurrence of the Security Breach; (c) assist and cooperate with Subscriber in any litigation or investigation against third parties that Subscriber undertake to protect the security and integrity of Content; and (d) use commercially reasonable endeavors to mitigate any harmful effect of the Security Breach.
6. EU Data Protection
The parties agree to comply with the provisions of the Data Processing Addendum set out in Exhibit B.
7. Legal Compliance
7.1 Hemmat maintains that its primary duty is to protect the Content to the extent the law allows. Hemmat reserves the right to provide the Confidential Information to third parties as required and permitted by law (such as in response to a subpoena or court order), and to cooperate with law enforcement authorities in the investigation of any criminal or civil matter.
If Hemmat is required by law to make any disclosure of the Confidential Information that is prohibited or otherwise constrained by this Agreement, then Hemmat will provide Subscriber with prompt written notice (to the extent permitted by law) prior to such disclosure so that the Subscriber may seek a protective order or other appropriate relief. Subject to the foregoing sentence, Hemmat may furnish that portion (and only that portion) of the Confidential Information that it is legally compelled or otherwise legally required to disclose.
7.2 Hemmat will only accept legal requests for production of Content or other Confidential Information through the procedures listed on Exhibit D Hemmat Legal Service and Notice Provisions.
8. Managed Backup and Archiving
Hemmat’s managed backup services is designed to facilitate restoration of Content to the server or device from which the Content originated in the event the primary data is lost or corrupted. Hemmat shall ensure recovery of lost or corrupted Content at no cost to you. Following any cancellation or termination of Service for any reason, Subscriber shall have ninety (90) days to retrieve any and all Content. Hemmat shall not be responsible for any content on third party service providers including but not limited to Clio or Microsoft 365.
9. Payment, Refunds, and Subscription Changes
9.1 Subscribers with paid subscriptions will provide Hemmat with a valid credit card for payment of the applicable subscription fees. All subscription fees are exclusive of all federal, state, provincial, municipal, or other taxes which Subscribers agree to pay based on where the Subscriber is located. Invoices will include (i) subscription fees and (ii) all applicable sales taxes, as amended from time to time, for the jurisdiction in which the Subscriber is located. In the event of updated tax rates, Hemmat will apply the new tax rate without notice to the Subscriber. In addition to any fees, the Subscriber may still incur charges incidental to using the Service, including, without limitation, charges for Internet access, data roaming, and other data transmission charges.
9.2 Subscribers with monthly paying subscriptions will be charged upon the expiration of any applicable free trial period. Subscriptions cancelled prior to the expiration of any trial period will not be charged. Monthly Subscribers will be charged monthly and in advance of the month following such charge. Annual Subscribers will be charged annually on the anniversary date of the initial subscription charge. All charges are final and non-refundable, including payments made by annual Subscribers, setup fees, and other professional services charges.
Annual Subscribers who satisfy applicable eligibility requirements, as determined in Hemmat’s sole discretion, may elect to be charged on a semi-annual or quarterly billing cycle. Semi-annual Subscribers will be charged on the first and one hundred eightieth (180th) day of their subscription. Quarterly Subscribers will be charged on the first day of their subscription and every ninety (90) days thereafter until the full subscription has been paid.
All charges, including setup fees and other professional services charges, are final and: (i) non-refundable for subscriptions charged on an annual billing cycle in advance; and (ii) non-cancellable for subscriptions charged on a semi-annual or quarterly billing cycle, unless otherwise agreed in writing by Hemmat in its sole discretion.
Subscribers who purchased setup or professional services, like tailored live training, customized forms and documents, or migration services, must initiate those services within sixty (60) days (the “Service Window“) following their purchase. Absent a separate invoice, the date of purchase for setup or professional services will be deemed to be the initial date of entry of a valid credit card for payment, as required in Section 9.1. Failure of the Subscriber to initiate purchased setup or professional services within the Service Window will result in those services no longer being available and no refund will be issued.
9.3 No refunds or credits will be issued for partial periods of service, upgrade/downgrade refunds, or refunds for periods unused with an active subscription, including, but not limited to, instances involving the removal of a Subscriber.
9.4 There are no charges for cancelling an annual subscription paid in advance and subscriptions cancelled prior to the end of the annual billing cycle will not be charged again in the following annual cycle.
9.5 The amount charged in each billing cycle will be automatically updated to reflect any changes to the subscription, including upgrades or downgrades, and including the addition or removal of discounts included for the purchase of suite services. Adding Authorized User subscriptions or subscription upgrades will trigger prorated charges in the current billing cycle. Subscriber authorizes Hemmat to apply updated charge amounts. Subscription changes, including downgrades, may result in loss of access to Content, features, or an increase or reduction in the amount of available capacity for Content provided by the Service.
9.6 All prices are subject to change upon notice. Such notice may be provided by an e-mail message to the Administrator, or in the form of an announcement on the Service.
9.7 Subscriber is responsible for paying all taxes associated with the subscription to the Service. If Hemmat has the legal obligation to pay or collect taxes for which Subscriber is responsible under this section, the appropriate amount shall be charged to and paid by Subscriber, unless Subscriber provides Hemmat with a valid tax exemption certificate authorized by the appropriate taxing authority.
9.8 Any and all payments by or on account of the compensation payable under this Agreement shall be made free and clear of and without deduction or withholding of any kind. If the Subscriber is required to deduct or withhold any taxes from such payments, then the sum payable shall be increased as necessary so that, after making all required deductions or withholdings, Hemmat receives an amount equal to the sum it would have received had no such deduction or withholding been made.
10. Cancellation and Termination
10.1 Administrators are solely responsible for canceling subscriptions. An Administrator may cancel their subscription at any time by accessing the Service and clicking on the cancel link where indicated, or at www.thyme.org/cancel. For security reasons, cancellations shall only be performed by an Administrator using the account cancellation URL within the Service. The Administrator may be directed, within the Service, to call support to complete the cancellation. Cancellations shall not be accepted by any other means.
10.2 Hemmat in its sole discretion has the right to suspend or discontinue providing the Service to any Subscriber without notice for actions that are (a) in material violation of this Agreement or (b) create a Security Emergency.
10.3 If (i) Authorized Users use the Service to materially violate this Agreement in a way that does not create a Security Emergency; (ii) Hemmat provides Subscriber with commercially reasonable notice of this violation; (iii) Hemmat uses commercially reasonable efforts to discuss and resolve the violation with Subscriber; and (iv) despite the foregoing, the violation is not resolved to Hemmat’s reasonable satisfaction within thirty (30) days of such notice, then Hemmat reserves the right to suspend access to the Service.
10.4 As required by Section 8, upon cancellation or termination of a subscription, Content is made available to the Administrator or a designated Authorized User. Following a period of no less than ninety (90) days from the cancellation or termination of a subscription, all Content associated with such subscription will be irrevocably deleted from the Service. All Escrowed Data, if any, will continue to remain available for a period of six (6) months upon cancellation or termination of a subscription in accordance with the terms of the Escrow Agreement.
11. Limitation of Liability
11.1 Except in the case of a violation by Hemmat of its obligations under Sections 4, 5 and 8, and except as provided in Section 13.2, Hemmat shall not be liable for, and Subscriber waives the right to claim, any loss, injury, claim, liability or damage of any kind resulting in any way from the Services provided to Subscriber by Hemmat.
11.2 SUBSCRIBER AGREES THAT THE LIABILITY OF HEMMAT ARISING OUT OF ANY CLAIM IN ANY WAY CONNECTED WITH THE SERVICE WILL NOT EXCEED THE TOTAL AMOUNT YOU HAVE PAID FOR THE SERVICE PURSUANT TO THE AGREEMENT WITHIN THE SIX (6) -MONTH PERIOD BEFORE THE DATE THE CLAIM AROSE. SUBSCRIBER FURTHER AGREES THAT HEMMAT IS NOT AND WILL NOT BE LIABLE FOR ANY SPECIAL, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY KIND WHATSOEVER (INCLUDING WITHOUT LIMITATION, ATTORNEY FEES) RELATING TO THIS AGREEMENT. THESE DISCLAIMERS APPLY REGARDLESS OF THE FORM OF ACTION, WHETHER IN CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY OR OTHERWISE, WHETHER THOSE DAMAGES ARE FORESEEABLE AND WHETHER HEMMAT HAS BEEN ADVISED OF THE POSSIBILITY OF THOSE DAMAGES. THESE DISCLAIMERS ARE NOT APPLICABLE TO THE INDEMNIFICATION OBLIGATION SET FORTH IN SECTION 13.2. EACH PROVISION OF THIS AGREEMENT THAT PROVIDES FOR A LIMITATION OF LIABILITY, DISCLAIMER OF DAMAGES, OR EXCLUSION OF DAMAGES IS TO ALLOCATE THE RISKS OF THIS AGREEMENT BETWEEN THE PARTIES. THIS ALLOCATION IS REFLECTED IN THE PRICING OFFERED BY HEMMAT TO SUBSCRIBER AND IS AN ESSENTIAL ELEMENT OF THE BASIS OF THE BARGAIN BETWEEN THE PARTIES. EACH OF THESE PROVISIONS IS SEVERABLE FROM AND INDEPENDENT OF ALL OTHER PROVISIONS OF THIS AGREEMENT.
11.3 Subscriber will solely be responsible for any damage and/or loss of Content contained in Subscriber’s technology which occurs as a result of Subscriber’s electronic equipment and/or Subscriber’s computer system.
12. Disclaimer of Warranties
12.1 HEMMAT HEREBY DISCLAIMS ALL WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING, BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT OF THIRD PARTY RIGHTS WITH RESPECT TO ANY SERVICES PROVIDED BY HEMMAT. NOTHING IN THIS SECTION 12.1 SHALL MODIFY HEMMAT’S OBLIGATION TO INDEMNIFY SUBSCRIBER AS REQUIRED BY SECTION 13.2(A) OF THIS AGREEMENT (“INDEMNIFICATION”).
12.2 Hemmat makes no warranty that its services when provided to Subscriber, in digital or electronic format, will be compatible with Subscriber’s computer and/or other equipment, or that these Services will be secure or error-free. Nor does Hemmat make any warranty as to any results that may be obtained from the use of the Service. Nothing in this Section 12.2 shall modify Hemmat’s obligations under Sections 4 or 5 or Hemmat’s obligation to indemnify you as required by Section 13.2(b) of this Agreement.
12.3 Hemmat hereby disclaims all warranties of any kind related to Subscriber’s hardware or software beyond the warranties provided by the manufacturer of Subscriber’s hardware or software.
13. Indemnification
13.1 Subscriber hereby agrees to indemnify and hold harmless Hemmat from and against any claim, action, proceeding, loss, liability, judgment, obligation, penalty, damage, cost or expense, including attorneys’ fees, which arise from or relate to the following:
a. Authorized Users’ breach of any obligation stated in this Agreement; and
b. Authorized Users’ negligent acts or omissions.
Hemmat will provide prompt notice to Subscriber of any indemnifiable event or loss. Subscriber will undertake, at Subscriber’s own cost, the defense of any claim, suit or proceeding with counsel reasonably acceptable to Hemmat. Hemmat reserves the right to participate in the defense of the claim, suit or proceeding, at Hemmat’s expense, with counsel of Hemmat’s choosing.
13.2 Hemmat shall defend, indemnify and hold Subscriber harmless against any loss, damage or costs (including reasonable attorneys’ fees) in connection with claims, demands, suits, or proceedings made or brought against Subscriber by a third party:
a. alleging that the Service, or use of the Service as contemplated hereunder, infringes on a copyright, a U.S. patent issued as of the date of final execution of this Agreement, or a trademark of a third party or involves the misappropriation of any trade secret of a third party; provided, however, that Subscriber: (i) promptly gives written notice of the Claim to Hemmat (provided, however, that the failure to so notify shall not relieve Hemmat of its indemnification obligations unless Hemmat can show that it was materially prejudiced by such delay and then only to the extent of such prejudice); (ii) gives Hemmat sole control of the defense and settlement of the Claim (provided that Hemmat may not settle any Claim unless it unconditionally releases Subscriber of all liability); and (iii) provides to Hemmat, at Hemmat’s cost, all reasonable assistance. Hemmat shall not be required to indemnify Subscriber in the event of: (x) modification of the Service by Subscriber in conflict with Subscriber’s obligations or as a result of any prohibited activity as set forth herein to the extent that the infringement or misappropriation would not have occurred but for such modification; (y) use of the Service in combination with any other product or service not provided by Hemmat to the extent that the infringement or misappropriation would not have occurred but for such use; or (z) use of the Service in a manner not otherwise contemplated by this Agreement to the extent that the infringement or misappropriation would not have occurred but for such use; or
b. arising out of or related to a violation by Hemmat of its obligations under Sections 4 or 5 of this Agreement.
14. Miscellaneous
14.1 Technical support and training are available to Authorized Users with active subscriptions, and is available by telephone, email or electronic support ticket, and as provided in Exhibit A.
14.2 Subscriber acknowledges and agrees that Hemmat may use third party vendors and hosting partners to provide the necessary hardware, software, networking, storage, and related technology required to run the Service.
14.3 The Services may allow you to access or use or integrate with third party providers of products and services (“Third Party Products“). Such Third Party Products are not part of the Services under this Agreement and are not subject to any terms related to Services, including related warranties, indemnities, service commitments or other obligations. The availability of any Third Party Products through the Services does not imply Hemmat’s endorsement of or affiliation with the provider. Access to and use of any Third Party Products are subject to the separate terms and conditions required by the providers of the Third Party Products. Hemmat does not control the Third Party Products and will have no liability to Subscriber in connection with any Third Party Product. Hemmat has no obligation to monitor or maintain any Third Party Product and may replace, disable or restrict access to any Third Party Product or cancel related integrations at any time, without notice. The calculation of downtime pursuant to Exhibit A does not include the unavailability of any integration to a Third Party Service or Third Party Product. BY USING OR ENABLING ANY THIRD PARTY PRODUCT, SUBSCRIBER EXPRESSLY ACKNOWLEDGES THAT ANY LIABILITY AND REMEDIES RELATED TO A THIRD PARTY PRODUCT IS WHOLLY GOVERNED BY THE APPLICABLE THIRD PARTY AGREEMENT AND HEMMAT DISCLAIMS ALL LIABILITY RELATED TO SUCH THIRD PARTY PRODUCT.
14.4 Subscriber acknowledges the risk that information and the Content stored and transmitted electronically through the Service may be intercepted by third parties. Subscriber agrees to accept that risk and will not hold Hemmat liable for any loss, damage, or injury resulting from the interception of information. The Content is stored securely and encrypted. Only Hemmat, with strict business reasons, may access and transfer the Content and only to provide Subscriber with the Service. Hemmat will make reasonable efforts to provide notice to Subscriber prior to such access and transfer. Hemmat’ actions will comply with its obligations under Sections 4 and 5 of this Agreement.
14.5 The failure of either party to enforce any provision hereof shall not constitute or be construed as a waiver of such provision or of the right to enforce it at a later time.
14.6 This Agreement constitutes the entire agreement between Subscriber, Authorized Users and Hemmat and governs Authorized Users use of the Service, superseding any prior agreements between Subscriber, Authorized Users and Hemmat (including, but not limited to, any prior versions of this agreement).
14.7 Hemmat reserves the right to amend this Agreement. In the event of material changes to the Agreement, Hemmat will notify Subscribers, by email, or by other reasonable means of these changes prior to their enactment. Continued use of the Service by the Subscriber after reasonable notice will be considered acceptance of any new terms.
14.8 Neither party may assign any of its rights or obligations hereunder, whether by operation of law or otherwise, without the prior written consent of the other party (which consent shall not be unreasonably withheld). Notwithstanding the foregoing, either party may assign this Agreement in its entirety without consent of the other party in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of its assets provided the assignee has agreed to be bound by all of the terms of this Agreement. Any attempt by a party to assign its rights or obligations under this Agreement in breach of this Section shall be void and of no effect.
14.9 Governing Law and Venue. This Agreement and your relationship with Hemmat shall be governed exclusively by, and will be enforced, construed, and interpreted exclusively in accordance with, the laws applicable in the State of Washington, United States of America and shall be considered to have been made and accepted in the State of Washington, United States of America, without regard to its conflict of law provisions. All disputes under this Agreement will be resolved by the courts of King County, Washington, and Subscribers consent to the jurisdiction of and venue in such courts and waive any objection as to inconvenient forum. In any action or proceeding to enforce rights under this Agreement, the prevailing party shall be entitled to recover costs and legal fees.
Exhibit A
Hemmat Service Level Commitments and Support Services
Commencing on the date the Service to the Subscriber commences (the “Subscription Term”), Hemmat will provide Service Level Commitments (“SLC”) Credits (defined in Section 3 below) and Support Services in accordance with the SLC and Support Services Terms as defined herein. In the event of any conflict between the Agreement and the Service Level Commitment and Support Services Terms, the SLC and Support Services Terms will prevail. The SLC and Support Services incorporate the definitions set forth in Section 1 of the Clio User License Agreement.
1. Exhibit Definitions
“Subscriber Core Group” means Subscriber’s employees who have been trained on the Service and who are familiar with Subscriber’s business practices.
“Subscriber User Community” means all users who input, extract or view data in the Service, including all Registered Clients.
“Downtime” means any period, greater than ten minutes, within the Scheduled Available Time during which the Subscriber is unable to access or use the Service because of an Error (as defined below), excluding (i) any such period that occurs during any Scheduled Downtime and/or Recurring Downtime (as defined below), or (ii) document preview, search, FTP or sync functions of the Service.
“Error(s)” means the material failure of the Service to conform to its published functional specifications.
“Procedural Issues” means those issues that are to be addressed by Subscriber through adjustment of a specific business process to accomplish work in the Service.
“Recurring Downtime” means 4 hours per month on the third Saturday of the month from 12:00 A.M. to 4:00 A.M. PST.
“Request” means a modification to the Service outside of the scope of the functional specifications.
“Scheduled Available Time” means 24 hours a day, 7 days a week.
“Scheduled Downtime” means the time period identified by Hemmat in which it intends to perform any planned upgrades and/or maintenance on the Service or related systems and any overrun beyond the planned completion time.
“Uptime Percentage” means the total number of minutes of Scheduled Available Time for a calendar month minus the number of minutes of Downtime suffered in such calendar month, divided by the total number of minutes of Scheduled Available Time in such calendar month. Uptime Percentage will be calculated by Hemmat solely using records and tools available to Hemmat.
“User Administration Support” means issues that impact the usability of the Service and are addressable through the adjustment of Registered Client’s access privileges, processes or procedures.
2. Scope of Service Level Commitments
Hemmat’s obligations do not extend to Errors or other issues caused by:
1. any modification of the Service made by any person other than Hemmat;
2. any third party hardware or software used by Subscriber or any Registered Clients except as otherwise provided in the then current Documentation;
3. the improper operation of the Service by Subscriber or Registered Clients;
4. the accidental or deliberate damage to, or intrusion or interference with the Service;
5. the use of the Service other than in accordance with any user Documentation or the reasonable instructions of Hemmat;
6. ongoing test or training instances of the Service provided to Subscriber; or
7. services, circumstances or events beyond the reasonable control of Hemmat, including, without limitation, any force majeure events, the performance and/or availability of local ISPs employed by Subscriber, or any network beyond the demarcation or control of Hemmat.
3. Scheduled Downtime and Guaranteed Uptime
Hemmat will use commercially reasonable efforts to provide at least 24 hours’ prior notice before undertaking any Scheduled Downtime. Commencing on the effective date of the applicable Subscription Term, in the event the Service experiences an Uptime Percentage of less than 99.9% in any calendar month, Hemmat will provide to Subscriber a credit (“SLC Credit”) equal to the credit percentage identified in the table SLC Credits table below multiplied by the Subscriber’s fees paid to Hemmat for the Service that are attributable to such month (calculated on a straight line pro-rated basis with respect to any fees paid in advance). Subscriber will submit a written SLC Credit request to Hemmat in writing within 30 days of such Downtime. The SLC Credit is Subscriber’s sole and exclusive remedy for any failure by Hemmat to meet any performance obligations pertaining to the Service, including, without limitation, any support obligations except as provided in the User License Agreement.
Hemmat reserves the right to temporarily suspend Subscriber’s or a Registered Client’s access to the Clio Service as set out in the User License Agreement. Any such suspensions based on repairs, technical problems, outages or maintenance services will be subject to the Service Level Commitments.
SLC Credits Table
| Uptime Percentage | Credit Percentage |
| Equal to or greater than 98% but less than 99.9% | 10% |
| Less than 98% | 25% |
4. Availability of SLC Credits
Subscribers who are past due on any payments owed to Hemmat are not eligible to receive SLC Credits. Hemmat will issue SLC Credits, as determined in its sole discretion, either on future billing cycles or as a refund against annual fees paid. In order to receive any SLC Credit, Subscriber must notify Hemmat within 30 days from the time Subscriber becomes eligible to receive a SLC Credit. Failure to comply with this requirement will forfeit Subscriber’s right to receive a SLC Credit. In no event will the total amount of SLC Credits if any, exceed the fees paid by Subscriber for the corresponding month.
5. Support Services
Hemmat will provide support services to assist Subscriber in resolving Errors (“Support Services”). Support Services do not include (a) physical installation or removal of the API and any Documentation; (b) visits to Subscriber’s site; (c) any electrical, mechanical or other work with hardware, accessories or other devices associated with the use of the Service; (d) any work with any third party equipment, software or services; (e) any professional services (“Professional Services”) associated with the Service, including, without limitation, any custom development, or data modeling.
Hemmat will provide email and/or phone support at www.thyme.org, excluding Hemmat corporate holidays and national Canadian, Irish, and U.S. holidays except where noted.
Exhibit B
Hemmat Data Protection Addendum
To the extent that Hemmat Processes any Subscriber Personal Data (each as defined below) and (i) the Subscriber Personal Data relates to individuals located in the EEA; or (ii) Subscriber is established in the EEA or UK, the provisions of this Data Processing Addendum (“DPA“) shall apply to the processing of such Subscriber Personal Data. In the event of any conflict between the remainder of the Agreement and the DPA, the DPA will prevail.
1. Definitions
1.1. The following capitalized terms used in this DPA shall be defined as follows:
(a) “Controller” has the meaning given in the GDPR.
(b) “Data Protection Laws” means the EU General Data Protection Regulation 2016/679 (“GDPR“) or the UK General Data Protection Regulation (“UK GDPR“), tailored by the Data Protection Act 2018, any applicable national implementing legislation in each case as amended, replaced or superseded from time to time, and all applicable legislation protecting the fundamental rights and freedoms of persons and their right to privacy with regard to the Processing of Subscriber Personal Data.
(c) “Data Subject” has the meaning given in the GDPR.
(d) “European Economic Area” or “EEA” means the Member States of the European Union together with Iceland, Norway, and Liechtenstein.
(e) “Processing” has the meaning given in the GDPR, and “Process” will be interpreted accordingly.
(f) “Processor” has the meaning given in the GDPR.
(g) “Security Incident” means any confirmed accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, any Subscriber Personal Data.
(h) “Standard Contractual Clauses” means the Standard Contractual Clauses (processors) approved by European Commission Decision (EU) 2021/914 of 4 June 2021 or any subsequent version thereof released by the European Commission (which will automatically apply).
The Standard Contractual Clauses are applicable to the extent they reference Module Two (Controller-to-Processor).
When (i) the Subscriber Personal Data relates to individuals located in the UK; or (ii) Subscriber is established in the UK, the parties agree to the Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section18 of those Mandatory Clauses.
(i) “Subprocessor” means any Processor engaged by Hemmat who agrees to receive from Hemmat Subscriber Personal Data.
(j) “Subscriber Personal Data” means the “personal data” (as defined in the GDPR) described in the Annex and any other personal data contained in the Content or that Hemmat processes on Subscriber’s behalf in connection with the provision of the Service.
(k) “Supervisory Authority” has the meaning given in the GDPR.
(l) “United Kingdom” or “UK” means the country of the United Kingdom.
2. Data Processing
2.1. The Parties acknowledge and agree that for the purpose of the Data Protection Laws, the Subscriber is the Controller and Hemmat is the Processor.
2.2 Instructions for Data Processing. Hemmat will only Process Subscriber Personal Data in accordance with Subscriber’s written instructions. The parties acknowledge and agree that the Agreement (subject to any changes to the Service agreed between the parties) and this DPA shall be Subscriber’s complete and final instructions to Hemmat in relation to the processing of Subscriber Personal Data.
2.3. Processing outside the scope of this DPA or the Agreement will require prior written agreement between Subscriber and Hemmat on additional instructions for Processing.
2.4. Required consents. Where required by applicable Data Protection Laws, Subscriber will ensure that it has obtained/will obtain all necessary consents and complies with all applicable requirements under Data Protection Laws for the Processing of Subscriber Personal Data by Hemmat in accordance with the Agreement.
3. Transfer of Personal Data
3.1. Authorized Subprocessors. Subscriber agrees that Hemmat may use Subprocessors listed to Process Subscriber Personal Data. The current list of Subprocessors may be accessed in Exhibit C to the Agreement.
3.2. As per Clause 9(a), Module 2, OPTION 2 of the Standard Contractual Clauses, Subscriber agrees that Hemmat may use subcontractors to fulfil its contractual obligations under the Agreement. Hemmat shall notify Subscriber from time to time of the identity of any Subprocessors engaged. If Subscriber (acting reasonably) objects to a new Subprocessor on grounds related to the protection of Subscriber Personal Data only, then without prejudice to any right to terminate the Agreement, Subscriber may request that Hemmat move the Subscriber Personal Data to another Subprocessor and Hemmat shall, within a reasonable time following receipt of such request, use reasonable endeavours to ensure that the original Subprocessor does not Process any of the Subscriber Personal Data. If it is not reasonably possible to use another Subprocessor, and Subscriber continues to object for a legitimate reason, either party may terminate the Agreement on thirty (30) days written notice. If Subscriber does not object within thirty (30) days of receipt of the notice, Subscriber is deemed to have accepted the new Subprocessor.
3.3. Save as set out in clauses 3.1 and 3.2, Hemmat shall not permit, allow or otherwise facilitate Subprocessors to Process Subscriber Personal Data without Subscriber’s prior written consent and unless Hemmat:
(a) enters into a written agreement with the Subprocessor which imposes equivalent obligations on the Subprocessor with regard to their Processing of Subscriber Personal Data, as are imposed on Hemmat under this DPA; and
(b) shall at all times remain responsible for compliance with its obligations under the DPA and will be liable to Subscriber for the acts and omissions of any Subprocessor as if they were Hemmat’s acts and omissions.
3.4. International Transfers of Subscriber Personal Data. Hemmat commits to Processing Subscriber Personal Data within the EEA. To the extent that the Processing of Subscriber Personal Data by Hemmat involves the export of such Subscriber Personal Data to a third party in a country or territory outside the EEA, such export shall be:
(a) to a country or territory ensuring an adequate level of protection for the rights and freedoms of Data Subjects as determined by the European Commission;
(b) to a third party that is a member of a compliance scheme recognized as offering adequate protection for the rights and freedoms of Data Subjects as determined by the European Commission; or
(c) governed by the Standard Contractual Clauses between the Subscriber as exporter and such third party as importer. For this purpose, the Subscriber appoints Hemmat as its agent with the authority to complete and enter into the Standard Contractual Clauses as agent for the Subscriber on its behalf.
4. Data Security, Audits, and Security Notifications
4.1 Hemmat Security Obligations. Hemmat will implement and maintain appropriate technical and organizational security measures to ensure a level of security appropriate to the risk, including as appropriate, the measures referred to in Article 32(1) of the GDPR.
4.2 Upon Subscriber’s reasonable request, Hemmat will make available all information reasonably necessary to demonstrate compliance with this DPA.
4.3 Security Incident Notification. If Hemmat becomes aware of a Security Incident, Hemmat will (a) notify Subscriber of the Security Incident within 72 hours, (b) investigate the Security Incident and provide Subscriber (and any law enforcement or regulatory official) with reasonable assistance as required to investigate the Security Incident.
4.4 Hemmat Employees and Personnel. Hemmat will treat the Subscriber Personal Data as confidential, and shall ensure that any employees or other personnel have agreed in writing to protect the confidentiality and security of Subscriber Personal Data.
4.5 Audits. Hemmat will, upon Subscriber’s reasonable request and at Subscriber’s expense, allow for and contribute to audits, including inspections, conducted by Subscriber (or a third party auditor on Subscriber’s behalf and mandated by Subscriber) provided (i) such audits or inspections are not conducted more than once per year (unless requested by a Supervisory Authority); (ii) are conducted only during business hours; (iii) are conducted in a manner that causes minimal disruption to Hemmat’s operations and business; and (iv) Following completion of the audit, upon request, Subscriber will promptly provide Hemmat with a complete copy of the results of that audit.
5. Access Requests and Data Subject Rights
5.1 Data Subject Rights. Where applicable, and taking into account the nature of the Processing, Hemmat will use reasonable endeavours to assist Subscriber by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Subscriber’s obligation to respond to requests for exercising Data Subject rights laid down in the Data Protection Laws.
6. Data Protection Impact Assessment and Prior Consultation
6.1 To the extent required under applicable Data Protection Laws, Hemmat will provide Subscriber with reasonably requested information regarding its Service to enable Subscriber to carry out data protection impact assessments or prior consultations with any Supervisory Authority, in each case solely in relation to Processing of Subscriber Personal Data and taking into account the nature of the Processing and information available to Hemmat.
7. Termination
7.1 Deletion or return of data. Subject to 7.2 below, Hemmat will, at Subscriber’s election and within 90 (ninety) days of the date of termination of the Agreement:
(a) make available for retrieval all Subscriber Personal Data Processed by Hemmat (and delete all other copies of Subscriber Personal Data Processed by Hemmat following such retrieval); or
(b) delete the Subscriber Personal Data Processed by us.
7.2 Hemmat and its Subprocessors may retain Subscriber Personal Data to the extent required by applicable laws and only to the extent and for such period as required by applicable laws and always provided that Hemmat ensures the confidentiality of all such Subscriber Personal Data and shall ensure that such Subscriber Personal Data is only Processed as necessary for the purpose(s) specified in the applicable laws requiring its storage and for no other purpose.
8. Governing law
8.1 This DPA shall be governed by, and construed in accordance with the laws of Ireland. Each of the parties irrevocably submits for all purposes (including any non-contractual disputes or claims) to the non-exclusive jurisdiction of the courts in Ireland. For Standard Contractual Clauses Clause 17 OPTION 1 and Clause 18, the parties agree to the laws and courts of Ireland.
Annex
Details of the Processing of Subscriber Personal Data
This Annex includes certain details of the processing of Subscriber Personal Data as required by Article 28(3) of the GDPR.
Subject matter and duration of the Processing of Subscriber Personal Data
The subject matter and duration of the Processing of the Subscriber Personal Data are set out in the Agreement and this DPA.
The nature and purpose of the Processing of Subscriber Personal Data
The Subscriber Personal Data will be subject to the following basic processing activities: transmitting, collecting, storing and analyzing data in order to provide the Service to the Subscriber, and any other activities related to the provision of the Service or specified in the Agreement.
The types of Subscriber Personal Data to be processed
The Subscriber Personal Data concern the following categories of data: names; email addresses; personal and professional information; and any other personal data provided by the Subscriber in connection with its use of the Service.
The categories of data subject to whom the Subscriber Personal Data relates
Any categories of individuals whose data the Subscriber extracts, transfers, and/or loads onto the Service, which may include but is not limited to:
- Registered Clients; and
- Past, present and prospective clients, business relationship contacts, and outside counsel contacts of the Subscriber.
The obligations and rights of the Subscriber
The obligations and rights of the Subscriber are as set out in this DPA.
Exhibit C
Hemmat Authorized Subprocesses
As disclosed in §3.1 of Hemmat’s Data Protection Addendum for GDPR Compliance, Hemmat uses the authorized subprocessors listed below to process personal information.
All processing is done in accordance with Hemmat’s Terms of Service and Privacy Policy respectively.
| Subprocessor | Purpose | Controller of the Personal Information | Data Location |
| Amazon Web Services | Hosting provider | Subscriber | Regionalized |
| Teams | Call Recording | Hemmat/Subscriber | United States |
| Azure | AI Processor | Subscriber | Regionalized |
| Calendly | Appointment Booking | Hemmat | United States |
| Zoom | Call recording | Hemmat/Subscriber | United States |
Exhibit D
Hemmat Legal Service and Notice Provisions
1. Service of Process
Hemmat Solutions Inc. accepts service of process by mail or courier at the physical address set forth below. Any notices that you provide without compliance with this section shall have no legal effect. No employee or office location other than listed below is authorized to accept service of process on behalf of Hemmat.
The Corporation Trust Company
Corporation Trust Center
1209 Orange St.
Wilmington, DE 19801
With a copy to:
Holmquist & Gardiner, PLLC
Attn: Imants F. Holmquist
1000 Second Ave., Suite 1770
Seattle, WA 98104
Email: Imants@lawhg.net
Hemmat does not accept service of process via email or electronic communications.
2. Subscriber Notice
As per Section 7.1 of Clio’s Terms of Service, Hemmat is contractually required to notify Subscribers of requests for their information from third parties, unless prohibited by law from doing so. Hemmat will provide Subscriber with prompt written notice prior to any disclosure requests so that the Subscriber may seek a protective order or other appropriate relief.
3. Costs
Hemmat may seek reimbursement for costs associated with responding to requests for information as provided by law. Such fees will be calculated based upon the nature and volume of the data requested, and any burdensome requirements imposed by the request. Labor costs and legal fees may be included in costs requiring reimbursement.
Where permitted by law, Hemmat may require a signed agreement with the third-party requesting Subscriber information outlining the nature of costs being incurred and a commitment to reimburse Hemmat prior to producing requested information.
Exhibit E
Hemmat Privacy Policy
1. Our approach to privacy
1.1 Hemmat Interactive Inc. (“Thyme“, “we“, “our“, or “us“) is committed to protecting your privacy. This privacy policy sets out how we collect, store, process, transfer, share and use data that identifies or is associated with you (“personal information“) and information regarding our use of cookies and similar technologies.
1.2 Thyme operates a cloud-based legal practice management solution available via our websites (our “Websites“) including at Thyme.org or any mobile application, as well as other products and services that we make available (the “Thyme Service“).
1.3 This privacy policy applies to the Thyme Service.
1.4 Before accessing or using the Thyme Service, please ensure that you have read and understood our collection, storage, use and disclosure of your personal information as described in this privacy policy. By accessing or using the Thyme Service, you are accepting and consenting to the practices described in this privacy policy.
2. Personal information we collect about you and how we use it
2.1 Information you give to us. We collect personal information about you when you voluntarily submit information directly to us by filling in forms on our Website or by corresponding with us by phone, email or other means. This includes information you provide when you register to use our Website, subscribe to the Thyme Service, participate in any discussion boards, forums or other social media functions on our site or enter a competition, promotion or survey and when you report a problem with our Website, or use some other feature of the Thyme Service as available from time to time.
2.2 If you choose not to provide personal information, we may not be able to provide the Thyme Service to you or respond to your other requests.
2.3 Information we receive from other sources. We may receive personal information about you from individuals or corporate entities which are subscribers to the Thyme Service (“Subscribers“) where you are to be designated a user of the Thyme Service. We may receive personal information about you if you use any of the other websites we operate or the other services we provide from time to time. We also work closely with third parties (including, for example, subcontractors in technical, payment and delivery services, advertising networks, analytics providers, search information providers, credit reference agencies) and may receive information about you from them, subject to your agreements with them.
2.4 The table at Annex 1 sets out the categories of personal information you provide to us and that we receive from other sources and how we use that information. The table also lists the legal basis which we rely on to process the personal information and information as to how we determine applicable retention periods.
2.5 We also automatically collect personal information about you indirectly about how you access and use the Thyme Service and information about the device you use to access the Thyme Service.
2.6 The table at Annex 2 sets out the categories of personal information we collect about you automatically and how we use that information. The table also lists the legal basis which we rely on to process the personal information and information as to how we determine applicable retention periods.
2.7 We may link or combine the personal information we collect and/or receive about you and the information we collect automatically. This allows us to provide you with a personalized experience regardless of how you interact with us.
2.8 We may anonymize and aggregate any of the personal information we collect (so that it does not identify you). We may use anonymized information for purposes that include testing our IT systems, research, data analysis, improving the Thyme Service and developing new products and features. We may also share such anonymized information with others.
3. Disclosure of your personal information
3.1 We may share your personal information with any member of our group, which includes our subsidiaries. We will not share your personal information with any third parties except as described in this privacy policy or in connection with the Service. We may share your information with selected third parties, including:
- Business partners, vendors, suppliers, and subcontractors who perform services on our behalf (these companies are authorized to use your personal information only as necessary to provide these services to us);
- Analytics and search engine providers that assist us in the improvement and optimization of our Website;
- Credit reference agencies for the purpose of assessing your credit score where this is a condition of us entering into a contract with you;
- Payment processors for the purpose of fulfilling relevant payment transactions;
3.2 In certain situations, we may be required to disclose personal information in response to lawful requests by public authorities, including to meet law enforcement requirements.
We may disclose personal information in order to comply with any legal obligation, or in order to enforce or apply our terms and conditions of service (Thyme.org/tos) and other agreements; or to protect the rights, property, or safety of Thyme, our customers, or others. This includes exchanging information with other companies and organizations for the purposes of fraud protection and credit risk reduction.
3.3 Publicly accessible blogs. Our Website includes publicly accessible blogs or community forums. Any information you provide in these areas may be read, collected and used by others who access them. This includes information posted on our public social media accounts. To request removal of your personal information from our blog or community forum, contact us at privacy@thyme.org. In some cases, we may not be able to remove your personal information, in which case we will let you know if we are unable to do so and why.
3.4 Testimonials. With consent, we may display personal testimonials of satisfied customers on our site, along with other endorsements. If you wish to update or delete your testimonial, you can contact us at privacy@thyme.org.
3.5 We may disclose personal information to third parties in connection with a business transaction. Personal information may be disclosed to third parties in connection with a transaction, such as a merger, sale of assets or shares, reorganization, financing, change of control or acquisition of all or a portion of our business. If we are involved in a merger, acquisition, or sale of all or a portion of its assets, you will be notified via email and/or a prominent notice on our Website of any change in ownership that impacts the use of your personal information, as well as any choices you may have regarding your personal information.
4. Marketing and advertising
From time to time we may contact you with relevant information about the Thyme Service and our other products and services. Most messages will be sent electronically. For some messages, we may use personal information we collect about you to help us determine the most relevant information to share with you.
5. Storing and transferring your personal information
5.1 Security. Thyme has implemented administrative, technical, and physical safeguards to protect its and its customers’ information. For further information on Thyme’s security controls and practices, please refer to our Security & Reliability page (https://thyme.org/security). Where we have given you (or where you have chosen) a password which enables you to access certain parts of our Service, you are responsible for keeping this password confidential. Subscribers should not share their password with anyone.
5.2 While no transmission of information via the internet is completely secure, we take reasonable measures to protect your personal information. We cannot guarantee the security of your personal information transmitted to our Website; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorized access.
5.3 International Transfers of your Personal Information. The personal information we collect may be transferred to and stored in countries outside of the jurisdiction you are in where we and our third-party service providers have operations. If you are located in the European Union (“EU“) or the United Kingdom (“UK“, your personal information may be processed outside of the EU including in the United States; these international transfers of your personal information are made pursuant to appropriate safeguards, and, we will take suitable steps to ensure that your personal data is treated just as safely and securely as it would be within the EU and under the General Data Protection Regulation (“GDPR“) or the UK General Data Protection Regulation (“UK GDPR“). Such measures shall include, but are not limited to, having Data Processing Agreements with applicable subprocessors and ensuring that such subprocessors have adequate security and data protection procedures in place aligned with the GDPR or any other applicable data protection law. For a list of subprocessors, please see Hemmat Authorized Subprocessors.
If you wish to inquire further about these safeguards used, please contact us using the details set out at the end of this policy.
6. Retaining your information
6.1 We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of our legitimate business interests and satisfying any legal or reporting requirements.
6.2 To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure of your personal information, the purposes for which we process your personal information and the applicable legal requirements.
7. Referral program
7.1 We operate a referral program for our Service; you may choose to provide us with names and email addresses of individuals who you feel would be interested in learning more about our products and services in exchange for rewards. We will store the contact details in order to track the success of our referral service. The referred individual may request that their contact details be removed from our database and they may also contact us at any time at privacy@thyme.org to make the request.
7.2 Where you provide us with names and email addresses of such individuals as set out above, you will obtain the prior consent of those individuals and provide them with the information as to how we handle their personal information as described in this privacy policy.
8. Your rights in respect of your personal information
8.1 In accordance with applicable privacy law, you have the following rights in respect of your personal information that we hold:
- Right of access and portability. The right to obtain access to your personal information along with certain information, and to receive that personal information in a commonly used format and to have it ported to another data controller.
- Right to rectification. The right to obtain rectification of your personal information without undue delay where that personal information is inaccurate or incomplete.
- Right to erasure. The right to obtain the erasure of your personal information without undue delay in certain circumstances, such as where the personal information is no longer necessary in relation to the purposes for which it was collected or processed.
- Right to restriction. The right to obtain the restriction of the processing undertaken by us on your personal information in certain circumstances, such as where the accuracy of the personal information is contested by you or the sale of your personal information for a period enabling us to verify the accuracy of that personal information.
- Right to object. The right to object, on grounds relating to your particular situation, to the processing of your personal information, and to object to the processing of your personal information for direct marketing purposes, to the extent it is related to such direct marketing.
- Right to non-discrimination. The right to non-discrimination for exercising your rights as outlined in this policy. This includes, but is not limited to, denying you goods or services, charging you different prices for similar services, or providing a different level or quality of service.
8.2 If you wish to exercise any of these rights, you may do so by clicking the following link: thyme.org/pi.
Upon request, we will provide you with information about whether we hold any of your personal information. We may request that you verify your identity prior to transferring personal information. You may also access, correct or request deletion of your personal information by logging into your Thyme Service account. We will respond to your request within 30 days.
8.3 Thyme does not sell personal information shared by you. Thyme has not sold personal information shared by you in the 12 months preceding the modification date for this policy. All use of personal information is done for the delivery, use, and improvement of the Service, as listed in 3.1.
8.4 If you reside in the EU or UK, Thyme is the controller of your personal information for purposes of EU or UK data protection legislation. You also have the right to lodge a complaint to your local data protection authority. Information about how to contact your local data protection authority is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en. UK residents may lodge a complaint with the Information Commissioner’s Office at https://ico.org.uk/make-a-complaint/data-protection-complaints/.
9. Cookies and similar technologies
9.1 Our Service uses cookies and similar technologies (collectively referred to as cookies) to distinguish you from other users of our Service. This helps us to provide you with good service. This helps us enhance and personalize your user experience, to monitor and improve our Website and services, and for other internal purposes. As is true of most websites, we gather certain information automatically. This information we may collect is described in detail in Annex 2.
9.2 We use the following types of cookies:
- Strictly necessary cookies. These cookies are required for the essential operation of our Service such as to authenticate you and prevent fraudulent use.
- Analytical/performance cookies. These cookies allow us to recognize and count the number of visitors and to see how visitors move around our Service when they are using it. This helps us to improve the way our Service works, for example, by ensuring that you can find information easily.
- Functionality cookies. These cookies are used to recognize you when you return to our Service. This enables us to personalize our content for you, greet you by name and remember your preferences (for example, your choice of language or region).
- Targeting cookies. These cookies record your visit to our Service, the pages you have visited and the links you have followed. We will use this information to make our Service and the advertising displayed on it more relevant to your interests. We may also share this information with third parties for this purpose.
9.3 Please note that third parties (including, for example, advertising networks and providers of external services like web traffic analysis services) may also use cookies, over which we have no control. These cookies are likely to be analytical/performance cookies or targeting cookies.
9.4 We partner with third parties to manage our advertising on other sites. Our third party partners may use technologies such as cookies to gather information about your activities on this Website and other sites in order to provide you advertising based upon your browsing activities and interests. If you wish to not have this information used to serve you interest-based ads, you may opt-out by visiting the following consumer choice mechanisms:
- Network Advertising Initiative (NAI) self-regulatory opt-out page
- Digital Advertising Alliance (DAA) self-regulatory opt-out page
- European Interactive Digital Advertising Alliance (EDAA)’s consumer opt-out page
Please note this does not opt you out of being served ads. You will continue to receive generic ads.
9.5 You block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including strictly necessary cookies) you may not be able to access all or parts of our site.
9.6 Social Media. Our Website includes social media features, such as Facebook Like button and widgets such as the Share button. These features may collect your IP address, which page you are visiting on our Website, and may set a cookie to enable the feature to function properly. Social media features and widgets are hosted on our site or by a third party, and your interactions with these features are governed by the privacy policy of the company providing it.
10. Links to third party sites
10.1 The Thyme Service may, from time to time, contain links to and from third party websites. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for their policies. Please check the individual policies before you submit any information to those websites.
10.2 Some of the pages on our Website may utilize framing techniques to serve content to/from our partners while preserving the look and feel of our Website. Please be aware that you are providing your personal information to these third parties and not to Thyme.
11. Our policy towards children
11.1 The Thyme Service is not directed at persons under 16 and we do not intend to collect personal information from children under 16 in our capacity as a controller. If you become aware that a child has provided us with personal information without appropriate consent, then please contact us using the details below so that we can take the appropriate steps in accordance with our legal obligations and this privacy policy.
12. Changes to this policy
12.1 We may update this privacy policy from time to time and so you should review this page periodically. When we change this privacy policy in a material way, we will update the “last modified” date at the end of this privacy policy. Changes to this privacy policy are effective when they are posted on this page.
13. Notice to you
13.1 If we need to provide you with information about something, whether for legal, marketing or other business related purposes, we will select what we believe is the best way to get in contact with you. We will usually do this through email or by placing a notice on our Website. The fact that we may send notices to you will not stop you from being able to opt out of certain types of contact as described in this privacy policy.
14. Contacting us
14.1 If you are based in the EU, our EU representative is Hemmat Interactive (Ireland) Limited, a limited company registered in Ireland with company number 533767 and with its registered office at Arthur Cox Building, Earlsfort Terrace, Dublin 2.
14.2 Regardless of your location, any questions, comments, and requests regarding this privacy policy are welcome and should be addressed to our Data Protection Officer, John Avi Socha, at privacy@thyme.org.
Communication can also be addressed to:
Hemmat Interactive Inc. DBA Thyme
1221 E Pike St, Suite 200
Seattle, WA 98122
+1 (425) 642-0589
14.3 If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third-party dispute resolution provider (free of charge) at feedback-form.truste.com/watchdog/request.
Annex 1 — Personal information we collect
All disclosures listed below are made with service providers only and done in accordance with Hemmat’ Terms of Service and Privacy Policy respectively.
| Category of personal information | How we use it | Legal basis for the processing | CCPA Categorization | Previous 12-month disclosures |
| Contact information and basic personal details. Such as your name, phone number, address, location, IP address, e-mail address and where applicable, professional details such as your bar membership number. | We use this information to communicate with you, including sending statements, news, alerts and marketing communications. | The processing is necessary for our legitimate interests, namely for marketing purposes, and for communicating with you effectively and responding to your queries. | Identifiers | Yes |
| We use this information to deal with inquiries and other requests made by or about you, including customer service issues, relating to the Thyme Service. Such communications may include direct mailing. | ||||
| We use this information to operate, maintain and provide to you the features and functionality of the Thyme Service. | The processing is necessary for the performance of a contract and to take steps prior to entering into a contract (namely our Terms of Service). The processing is necessary for the fulfillment of legal requirements, including the verification of identity of customers. | |||
| Email account username and password. | Where you have chosen to import contacts from your Outlook or other email account address book to invite them to become members of our Website, we collect the username and password for the email account you wish to import your contacts from. | The processing is necessary for the performance of a contract and to take steps prior to entering into a contract (namely our Terms of Service). | Identifiers | Yes for email account username |
| Correspondence and comments. When you contact us directly, e.g. by email, phone, mail, or when you interact with customer service, we will record your comments and opinions. | To address your questions, issues, and concerns and resolve your customer service issues. | The processing is necessary for our legitimate interests, namely communicating with you effectively for the purposes of resolving your issues. | Audio, electronic, visual, thermal, olfactory, or similar information | Yes |
| Payment information. Details such as your credit card or other financial information including credit scores obtained from credit reference agencies. | We use this information to facilitate payment through or for use of the Thyme Service, to assess your credit score and to detect and prevent fraud. | The processing for assessing your credit score and facilitating payment is necessary for the performance of our contract (namely our Terms of Service). The processing is necessary for our legitimate interests, namely the detection and prevention of fraud. | Personal Information (as defined by California Customer Records Statute) | Yes |
| Recruiting details. Contact information and basic personal details (as set out above); professional details and employment information such as resume, references, LinkedIn profile. | We use this information to facilitate recruiting. | The processing is necessary for our legitimate interests, namely assessing your suitability for a role with Thyme. | Employment/Education Information | Yes |
| Business and Financial Information. Details such as invoices, payments, fund transfers, financial transactions and statements, trust account information and general ledger data. | We use this information to provide tools and workflows for firms to perform their accounting tasks such as generating their financial reports and reconciling their accounts. | The processing is necessary for the performance of our contract (namely our Terms of Service) in order to provide you with the benefits of our Accounting platform. The processing is necessary for our legitimate interests, namely to operate our business and improve/develop our accounting platform. | Personal Information (as defined by California Customer Records Statute) | |
| All personal information set out above. | We will use all the personal information we collect to operate, maintain and provide to you the features and functionality of the Thyme Service, to monitor and improve the Thyme Service, our Website and business, for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes, to keep the Website safe and secure and to help us develop new products and services. | The processing is necessary for our legitimate interest, namely to administer and improve the Thyme Service, our business and develop new services. | Commercial information | Yes |
Annex 2 — Personal information collected automatically
| Category of personal information | How we use it | Legal basis for the processing | CCPA Categorization | Previous 12-month disclosures |
| Information about how you access and use the Thyme Service. For example, the website from which you came and the website to which you are going when you leave our Website, your social media profiles, how frequently you access the Thyme Service, the time you access the Thyme Service and how long you use it for, whether you open emails or click the links contained in emails, whether you access the Thyme Service from multiple devices, and other actions you take on the Thyme Service. We also gather information, which may include Internet protocol (IP) addresses, browser type, internet service provider (ISP), referring/exit pages, operating system, date/time stamp, and/or clickstream data. | We use this information to: – conduct market analysis, monitor the Thyme Service and how it is used in order to and improve our business and help us develop new products and services; – Generate marketing leads and determine news, alerts and other products and services that may be of interest to you for marketing purposes. | The processing is necessary for our legitimate interests, namely: to conduct relevant analysis to improve the Thyme Service generally and for marketing purposes. | Geolocation information, Inferences about personal preferences and attributes drawn from profiling, Internet activity | Yes |
| Information about your device. We also collect information about the computer, tablet, smartphone or other electronic devices you use to connect to the Thyme Service. This information can include details about the type of device, unique device identifying numbers, operating systems, browsers, and applications connected to the Thyme Service through the device, your Internet service provider or mobile network, your IP address. | We use this information to: – enable the Thyme Service to be presented to you on your device; and – operate, maintain and provide to you the features and functionality of the Thyme Service. We use this information to monitor and improve the Thyme Service and business and to help us develop new products and services. | The processing is necessary for the performance of a contract and (namely our Terms of Service). The processing is necessary for our legitimate interests, namely: to tailor the Thyme Service to the user and to improve the Thyme Service generally. | Internet or other electronic network activity information | Yes |