Last Updated: June 2024
Welcome to Mend! This privacy policy (“Privacy Policy”) provides information on how we – White Source Ltd., Ariel Sharon 4 Street, Givatayim, Israel, 532004, as well as its subsidiary, WhiteSource Software, Inc. and any other of its affiliates, doing business as Mend (“Mend”, “we”, “our” or “us”) process your personal data as the responsible party (i.e. the “data controller”) if:
For our privacy policy for job applicants, please see the link to the privacy policy on the relevant open position page.
Our privacy policy for our employees is available on our company intranet and is provided to employees as required under applicable law.
In addition, this Privacy Policy contains general information about your rights related to the processing of your data (see 7).
Should you still have questions or concerns after you have read this Privacy Policy, please contact us at privacy@mend.io.
“Personal Data” means any information that can be used, alone or together with other data, to identify any living human being.
Please note that this is a master privacy policy and some of its provisions only apply to individuals in certain jurisdictions. For example, the legal basis in the table below is only relevant for individuals who are located in the EU or the EEA and therefore are protected by EU Regulation 2016/79 (General Data Protection Regulation – GDPR). This policy applies whenever you visit our website, use our services or otherwise interact with us and will not apply with respect to any data relating to a non-human entity, subject to applicable law.
This Privacy Policy may be updated from time to time and therefore we ask you to check back periodically for the latest version of the Privacy Policy, as indicated below. If there will be any significant changes made to the use of your Personal Data in a manner different from that stated at the time of collection, we will notify you by posting a notice on our Website or by other means.
1.1. Personal Data of visitors of our website.
When you visit our website, our servers will automatically store various data about your usage of our website, including in particular the type/version of your browser and operating system, the website from which you arrive at our website, the pages of our website you visit, date and time of your access, your IP address and similar data. The legal basis for processing personal user data is our legitimate interest. We use such data to be able to make the website accessible, to detect and resolve any technical problems, and to prevent and, if necessary, prosecute any misuse of the website. In addition, we use these data in an anonymous form, i.e. without the possibility of identifying the user, for statistical purposes and to improve the website. For our website’s use of cookies please see cf. section 8 below.
1.2. Data entered into a contact form on our website.
The website of Mend allows you to contact us by using a contact form. To do so, you may be required to provide your work email address, the country you are located in and the purpose of your request. Personal data transmitted to Mend in this connection will be used to process your request, as well as to contact you about the products, services and other offers from Mend. The legal basis for processing this personal data is our legitimate interest to answer your request.
1.3. Data processing in connection with your subscription to our newsletter.
On the website of Mend you may subscribe to our newsletter. To do so, you must provide your email address. Additional information may be provided on a voluntary basis. This information will be used exclusively to send out the newsletter and will not be transferred to any third parties. The legal basis for data processing is your consent. You have the right to revoke your consent at any time by clicking the unsubscribe button in the newsletter, without thereby affecting the lawfulness of data processing that has occurred up until consent is revoked. If consent is revoked, then you will no longer receive the newsletter.
When you subscribe to our newsletter, your IP address and the date and time of subscription and email verification will be collected. These data will be processed exclusively for the purpose of allowing us to reconstruct any possible misuse of your email address. The legal basis for processing of the aforementioned data is a legitimate interest.
Our newsletter contains a so-called “tracking pixel”. A tracking pixel is a miniature image file that is embedded in emails in HTML format. The embedded tracking pixel allows Mend to recognize whether and, if so, when you open the newsletter and on which of the links in the newsletter you click. Data collected via tracking pixels in our newsletters are stored and processed for statistical purposes to optimize the distribution of our newsletter and to tailor the content of future newsletters even more to the interests of the recipient.
1.4. Data processing in connection with subscriptions or registrations to our Service.
Mend offers Business-to-Business Services. Data relating to our business customers that we process for the conclusion, performance and termination of our contract with a Customer (e.g., business name and address, payment information), therefore, are not considered as Personal Data. However, we process certain Personal Data of those individuals who subscribe to a contract or register for our free Service on behalf of a Customer, in particular a work email address.
1.5. Data of Contributing Developers.
Mend collects pseudonymized email addresses of a Customer’s Contributing Developers to verify compliance with the license terms agreed with the Customers. The email addresses are processed solely to determine the number of Contributing Developers attributable to a Customer.The legal basis for processing of this personal data is our legitimate interest.
1.6. Data of Users of the Services.
The website of Mend allows individuals who have been designated by our Customers as users of our Services (“Users”) to create an account and to use our Services, e.g. work on our platforms. If you are a User, to do so, you must provide your first name and last name, your user name, password and work email address to create an account. When you log into your account on our Platform, our systems collect certain information about your activities, such as the time you log in and out, the Services you use and the actions you take on the Services. In the event of a support issue, such as a planned or emergency outage, we may send a notification to your work email address. Some of the actions may be visible in the Mend Dashboard to other users from your organization. The sole purpose of the processing of this Personal Data is to provide our Customers with the Services of Mend. The legal basis for processing this personal data is our legitimate interest to be able to provide our Customers with our Services.
Please be aware that if you access our Services through connected third party applications (such as Google, GitHub, GitLab, AWS or Microsoft), we will receive certain information (including personal data, as described above) about you from the provider of such third party applications. The scope of information we receive depends on your third party application privacy settings and the information you shared with such third party. Such third parties are beyond our control and are not covered by our privacy policy. Please review the privacy policies of the third parties before providing your personal data.
1.7. Data processing for marketing purposes.
If you subscribe to our Services on behalf of a Customer or if you are a User of our Services, we will also use your email address to inform you periodically about other interesting offers from Mend. If you do not wish to receive such information, you can easily opt-out free of charge by clicking on the unsubscribe link here or at the bottom of any message containing product information from Mend. The legal basis for processing this personal data is our legitimate interest.
1.8. Data processing in connection with your use of our chatbot feature.
The website of Mend allows individuals to engage with our chatbot feature to obtain information about Mend and our services. In the event that you use our chatbot function, we use a third-party service provider, Drift, to collect, store, maintain and respond to information you provide through this function. A copy of the Drift Privacy Policy may be found here (https://www.drift.com/privacy-policy/). If you agree to engage with our chatbot, your IP address, email address, location and the date and time of the interaction may be collected. Additionally, you may be required to provide your company name, work email address, your location and the purpose of your request. Personal data transmitted in connection with your use of the chatbot will be used to process any request you may make, as well as to inform you about the services from Mend. The legal basis for processing this personal data is our legitimate interest to answer your request.
2.1. Your Personal Data (as described above) will be retained until: (i) it is no longer reasonably necessary for the purposes described in this Privacy Policy, unless a longer storage period is required by applicable law or by our Customer; or (ii) you send a valid deletion request.
2.2. Data collected when visiting our website is regularly stored for a period of 365 days. Cookies (see section 11) are stored for 365 days. You can also delete cookies earlier on your own. You can read more in our cookie policy (available here: https://www.mend.io/cookies-policy/).
If you have any questions about our Data Retention Policy, please contact us by email at privacy@mend.io. Additional information about our Data Retention Policy (including non-Personal Data retention) can be found at: https://www.mend.io/data-retention/.
3.1. Your Personal Data may be maintained, processed and stored by us and by our authorized affiliates and service providers (defined below) in the U.S., the State of Israel, the UK and other jurisdictions, including the European Union, as necessary for the proper delivery of our Services, or as may be required by applicable law.
3.2. Customers’ data may be stored either in our third-party data hosting facilities located in the U.S. or in the EU based on Customer’s location and preference.
3.3. We have operations in Israel, which offers an adequate level of protection for the Personal Data of EU Member State residents.
3.4 We may transfer Personal Data to countries other than the country where the data originated. Any such transfers shall be done in compliance with all applicable laws. While privacy laws may vary between jurisdictions, we, our affiliates and Service Providers are each committed to protect Personal Data in accordance with this Privacy Policy and customary industry standards, regardless of any lesser legal requirements that may apply in the applicable jurisdiction.
We have implemented appropriate technical, organizational security measures. However, please note that regardless of the measures implemented, we cannot and do not guarantee the absolute protection and security of any Personal Data stored with or accessed by us or any third party with whom we share your Personal Data as described under Section 1 below. Nevertheless, we make commercially reasonable efforts to make the collection and security of such information consistent with this Privacy Policy and all applicable laws and regulations. As the security of information depends in part on the security of the computer, device or network you use to communicate with us and the security measures you use to protect your user IDs and passwords, please make sure to take appropriate measures to protect this information.
5.1. For certain technical data processing tasks, Mend is assisted by third-party service providers who will receive access to your personal data to provide such services. Those service providers have been carefully selected and meet high data privacy and data security standards. They are subject to strict duties of confidentiality and process data only on behalf and in accordance with the instructions of Mend.
5.2. We share Personal Data related to you with our company affiliates, meaning an entity that controls, is controlled by, or is under common control with Mend, for our administrative purposes including activities such as IT management, for them to provide services to you, or to support and supplement the Services we provide.
5.3. We will disclose Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. PLEASE NOTE THAT IN SUCH CASE WE WILL TAKE ADEQUATE MEASURES TO PREVENT INSPECTION BY NON-EU AUTHORITIES OF PERSONAL DATA RELATING TO YOU AND PROVIDE NOTICE TO THE EXTENT NOT PROHIBITED.
5.4. If we are involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, purchase or sale of assets, or transition of service to another provider (together, a “Structural Change”), Personal Data relating to you will be sold or transferred as part of the Structural Change, provided that the receiving entity will comply with this policy.
Email Communications. At any time you can opt-out of our mailing list by clicking the unsubscribe link found at the bottom of the email. Note that you will continue to receive transaction-related emails regarding services you have requested. We may also send you certain non-promotional communications regarding us and our services, and you will not be able to opt out of those communications (e.g., communications regarding our services or updates to this Privacy Policy).
Cookies. You can manage your preferences related to use of cookies and similar technologies on our services by following the instructions in our Cookie Policy.
We may receive your contact and professional details (e.g. business address and position, work email address) from our business partners and third party services provides and tools commonly used to connect individuals and entities to explore potential business and employment opportunities (e.g., LinkedIn). The purpose as well as the legal basis for the processing of this personal data results in principle from the respective context of the communication or cooperation. Such contexts and the corresponding legal bases are described in this Privacy Policy in sections 1.1. to 1.7.
The Website may enable you to interact with or contain links to your third party account and other third party websites (each, a “Third Party Service”). Such third parties are beyond our control and are not covered by our privacy policy. We are not responsible for the privacy practices or the content of such Third Party Services. Please be aware that Third Party Services may collect Personal Information from you. Accordingly, we encourage you to read the terms and conditions and privacy policy of each Third Party Service that you choose to use or interact with.
9.1. Internal transfers: We ensure transfers with our approved affiliates are covered by a data protection agreement, which contractually obliges each approved affiliate to ensure that personal data receives an adequate and consistent level of protection wherever it is transferred to. Please find information about the group companies that we share your personal data with here: https://www.mend.io/Group-Companies/.
9.2. External transfers: (for data subjects protected under the GDPR or the UK GDPR) Where we transfer your Personal Data outside of the EU/EEA or the UK respectively to countries for which no adequacy decision of the EU Commission exists, for example to approved affiliates or third parties who help provide our products and services, we will obtain contractual commitments and or assurances from them on the basis of the EU Standard Contractual Clauses Link and or the UK Standard Contractual Clauses to protect your Personal Data.
Where we receive requests for information from law enforcement or regulators, we carefully validate these requests before any personal data is disclosed (see additional information under Section 1 above).
10.1. Rights. The following rights shall apply to individuals who are protected by the GDPR or the UK GDPR. Some of these rights may also apply under your applicable law.
10.2. You have a right to access personal data held about you. Your right of access may normally be exercised free of charge, however we reserve the right to charge an appropriate administrative fee where permitted by applicable law;
10.3. You have the right to request that we rectify any personal data we hold that is inaccurate or misleading;
10.4. You have the right to request the erasure/deletion of your personal data (e.g., from our records). Please note that there may be circumstances in which we are required to retain your personal data, for example for the establishment, exercise or defense of legal claims or for the provision of Services to our Customers;
10.5. You have the right to object, to or to request restriction, of the processing;
10.6. You have the right to data portability. This means that you may have the right to receive your Personal Data in a structured, commonly used and machine-readable format, and that you have the right to transmit that data to another controller;
10.7. You have the right to withdraw your consent at any time. Please note that there may be circumstances in which we are entitled to continue processing your Personal Data, in particular if the processing is required to meet our legal and regulatory obligations. Also, please note that the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal;
10.8. You have a right to lodge a complaint with your local data protection supervisory authority. We ask that you please attempt to resolve any issues with us before you contact your local supervisory authority and/or relevant institution.
10.9. You can exercise your rights by contacting us at privacy@mend.io. Subject to legal and other permissible considerations, we will make every reasonable effort to honor your request promptly or inform you if we require further information in order to fulfill your request. When processing your request, we may ask you for additional information to confirm your identity and for security purposes, before disclosing the Personal Data requested to you. We reserve the right to charge a fee where permitted by law, for instance if your request is manifestly unfounded or excessive. In the event that your request would adversely affect the rights and freedoms of others (for example, would impact the duty of confidentiality we owe to others) or if we are legally entitled to deal with your request in a different way than initially requested, we will address your request to the maximum extent commercially reasonably possible, all in accordance with applicable law.
10.10. If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.
10.11. Deleting your account. If you ever decide to delete your Account, you may do so by emailing privacy@mend.io. If you terminate your Account, any association between your Account and information we store will no longer be accessible through your Account. However, in certain portions of the Services, any public activity on your Account relating to such Services will remain stored on our servers (or on third party servers) prior to deletion and will remain accessible to the public.
Mend’s website uses cookies. Cookies are small text files that are stored on the hard drive of the user to exchange certain settings and data with the systems of Mend via the browser. A cookie generally contains the name of the domain from which the cookie data were sent, as well as information on the age of the cookie and an alphanumeric identifier. Information stored in cookies are not used to identify users and are not merged with any other stored personal data about users.
Cookies can be blocked or restricted by changing the settings of your browser. Cookies that have already been stored may be deleted at any time. This can also be done automatically. If cookies for the Mend’s website are blocked, then you may no longer be able to fully use all functions of the website.
Cookies are only stored and used to process personal data with your consent and for the purpose of gathering information on how you use our website in order to measure the reach and effectiveness of our services.
Mend also uses a web analytics service (“Analytics Tools”). The Analytics Tools collect information such as how often users visit this site, what pages they visit when they do so, and what other sites they used prior to coming to this Website. We use the information we get from the Analytics Tools to maintain and improve the Website and our products and to improve our Customers’ and Visitors’ experience.
Additional information may be found under our Cookie Management on our website and here: https://www.mend.io/cookies-policy/.
If you are a California resident, the California Consumer Privacy Act (“CCPA”) provides California consumers with the right to request access to their Personal Information, as well as additional details about our information practices and deletion of their Personal Information (subject to certain exceptions). California consumers also have the right to opt out of sales of Personal Information, if applicable.
12.1. Right to Access. You have the right to access Personal Information which we may collect or retain about you. If requested, we shall provide you with a copy of your Personal Information which we collect as permitted by the CCPA. You also have the right to receive your Personal Information in a structured and commonly used format so that it can be transferred to another entity (“data portability”).
12.2. Right to Know. You have the right to request that we disclose the following about your Personal Information, as defined by the CCPA:
12.3. No sale of personal information. We do not sell or share your personal information within the meaning of the CCPA.
12.4. Right to Limit Sensitive Personal Information. We do not collect or process Sensitive Personal Information for the purpose of inferring characteristics about our consumers.
12.5. Right to Deletion. In certain circumstances, you have the right to request the deletion of your Personal Information. Upon verifying the validity of a deletion request, we will delete your Personal Information from our records, and instruct any service providers or contractors to delete your information, when applicable.
12.6. Right to Correction. In certain circumstances, you have the right to request correction of any inaccurate Personal Information. Upon verifying the validity of a verifiable consumer correction request, we will use commercially reasonable efforts to correct your Personal Information as directed, taking into account the nature of the Personal Information and the purposes of maintaining your Personal Information.
12.7. Exercising Your Rights. If you are a California resident, you can exercise any of your rights as described herein and under applicable privacy laws as described in this section. We will not discriminate against you for exercising such rights. Except as described in this notice or provided for under applicable privacy laws, there is no charge to exercise of your legal rights. However, if your requests are manifestly unfounded or excessive, in particular because of their repetitive character, we may either (i) charge a reasonable fee taking into account the administrative costs of providing the information or taking the action requested; or (ii) refuse to act on the request and notify you of the reason for refusing the request.
12.8. California’s “Shine the Light” law. California Civil Code section 1798.83 gives customers who are California residents the right to ask, once a year, (1) what personal information was disclosed to third parties for those third parties’ direct marketing purposes in the prior calendar year; and (2) the identities of the companies with whom the information was shared. The terms “customers” and “personal information” have the meaning given by the Shine the Light (California Civil Code Sec 1798.83).
12.9. Deletion Of Content From California Residents. If you are a California resident under the age of 18 and a registered user, California Business and Professions Code Section 22581 permits you to remove content or Personal Data you have publicly posted. If you wish to remove such content or Personal Data and you specify which content or Personal Data you wish to be removed, we will do so in accordance with applicable law. Please be aware that after removal you will not be able to restore removed content. In addition, such removal does not ensure complete or comprehensive removal of the content or Personal Data you have posted and that there may be circumstances in which the law does not require us to enable removal of content.
12.10. Our California Do Not Track Notice. We do not currently respond or take any action with respect to web browser “do not track” signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personal information about an individual consumer’s online activities over time and across third-party websites or online services. We may allow third parties, such as companies that provide us with analytics tools, to collect personal information, subject to applicable law, about an individual consumer’s online activities over time and across different websites when a consumer uses the Services.
This Privacy Notice also applies to consumers who reside in states that have adopted consumer privacy laws. Because of differences in certain state laws and the effective dates of those state laws, this section may apply to residents of one or more states with consumer privacy laws requiring such information. States that have passed consumer privacy laws as of the date of this Privacy Notice are Colorado, Connecticut, Delaware, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, and Virginia (collectively “US State Privacy Laws”). We have not sold personal information in the past twelve months. We have also not “shared” or made available personal information for the purposes of targeted advertising by third parties in the past twelve months.
13.1. Your Rights Under Applicable US State Privacy Laws. To the extent applicable under US State Privacy Laws, you may have the following rights in connection with your personal information:
13.2. Use of Agents. If you are a consumer in a jurisdiction that recognizes the ability to use an authorized agent and wish to contact us through an authorized agent, the authorized agent can submit a request on your behalf along with a statement, certified as may be required, that the agent is authorized to act on your behalf. In order to verify the request, we may ask you to verify your identity.
13.3. Appeals. If you are in a jurisdiction that recognizes your ability to appeal a decision we have made in connection with your attempt to assert a right under applicable US State Privacy Laws (such as Texas, Oregon, Montana, Colorado, Connecticut or Virginia), you may file an appeal of our decision refusing your request to exercise your rights under this Privacy Notice. Requests to change our policies or practices are not grounds for appeal. If your jurisdiction allows you to file a complaint with the state’s Attorney General’s Office regarding any concerns with the result of your appeal request, you may do so by using the following links as may be applicable to you: Virginia (www.oag.state.va.us/consumer-protection/index.php/file-a-complaint), Colorado (coag.gov/file-complaint), Connecticut (portal.ct.gov/AG/Common/Complaint-Form-Landing-page), and Texas (https://oag.my.salesforce-sites.com/CPDOnlineForm).
We do not offer our products or services for use by children. If you are under 18, you may not use the Website, or provide any information to the Website without the involvement of a parent or a guardian. We do not knowingly collect information from, and/or about children. Please notify us if you believe our Website is being used by a child under the age of 18. If we become aware that we have collected personal data from anyone under the age of 18 without verification of parental consent, we take steps to remove that information from our servers.