GDPR and Privacy Shield Privacy Notice
Effective Date: December 6, 2018
GDPR Privacy Notice
Processor Disclosure: We serve as a data processor to the extent Subscribers upload personal data into our Platform, such as log-in information or other personal data uploaded at the discretion of the Subscriber within the Subscriber’s Platform environment (“Platform Data”) such as for the generation of Signals. When serving as a processor, we have certain obligations under GDPR including only processing personal data at our Subscribers’ instructions reflected in the applicable Master Services Agreement, providing assistance with fulfilment of rights requests, and implementing appropriate security for personal data. We will forward any inquiries, complaints, or requests received from data subjects with respect to the Platform Data to the appropriate Subscriber and await instructions before taking any action.
Controller Disclosure & Details: We are a data controller of personal data for the following processing activities (with accompanying legal bases):
- Information Security: Across the Site and Platform, our web servers will log IP address and other information (e.g., browser information, operating system, request date/time, user agent string, referral and exiting URL) in order to maintain an audit log of activities performed. We use this information pursuant to our legitimate interests in tracking Site and Platform usage, debugging, combating DDOS or other attacks, and removing or defending against malicious visitors on the Site and Platform.
- Web Audience Measurement: Our legitimate interest in use of Google Analytics and Mixpanel to understand how Visitors and Subscribers interact with the Site and Platform, respectively, and where such EEA Individuals are located (up to city-level only) in order to optimize the Site and Platform experience. Note that the last octets of Site Visitors’ IP Addresses have been anonymized and ‘Sharing With Google’ and ‘Demographics/Advertising’ features have been disabled within Google Analytics. Further, we do not receive IP Address from Mixpanel and limit personal data within for strict web audience measurement purposes.
- Direct Marketing: Our legitimate interest in sending email marketing (e.g., Predata research) to Visitors or current or prospective Subscribers;
- Platform Demonstrations: Our legitimate interest in setting up demos with Visitors or prospective Subscribers pursuant to their request;
- Signal Generation: Our legitimate interest in generating the Predata Signals available within our Platform through processing of personal data from third-party social and digital media sources (e.g., social media handles).
- General Business Development: Our legitimate interest in furthering business relationships (such as by storing Subscriber information within a CRM or other file, or setting up business meetings), ensuring Subscriber satisfaction, and answering inquiries.
Controller’s Representative: Our representative in the European Union is ePrivacy GmbH (email@example.com).
Recipients: As applicable to carry out the processing activities described above or to provide our Platform, the Predata teams (e.g., sales, marketing, operations) processes personal data internally and discloses personal data to the following US-based recipients:
- Amazon AWS (US East): Cloud-based storage provider
- GSuite: Google applications (e.g., Gmail)
- Heroku: Cloud Platform-as-a-Service (PaaS) development
- MailChimp: Cloud-based marketing automation platform
- Salesforce: CRM
- Google Analytics: Site audience measurement
- Mixpanel: Platform audience measurement
- Logentries: Log management and analysis software
- Rollbar: Error tracking and crash reporting
- Sendgrid: Automated system email delivery
Retention: Please see below for our general retention periods. Please note that the below retention periods may be extended or shortened, as appropriate, based on the context of our relationship with an EEA Individual (e.g., negotiations for a sale, interest in the Platform), and for compliance with legal obligations (e.g.,accounting, finances, tax).
We will retain the personal data of prospective Subscribers for marketing and customer relationship management purposes for three (3) years. At that point, the prospective Subscribers will have to sign up for marketing or affirmatively demonstrate interest in the Platform (or other products/services that may be available at such time). These retention periods may be extended for prospective Subscribers that are in current negotiations with Predata near the end of such retention periods.
Current Subscribers’ personal data will be retained until the relationship terminates, at which point their personal data will be deleted shortly thereafter. A subset of such personal data may be retained for another three (3) years for finance and tax purposes, repeat business, and/or as required under applicable law. After such point, the former Subscriber will have to re-sign up for marketing or affirmatively demonstrate interest in the Platform (or other products/services that may be available at such time).
Email correspondence shall be kept for three (3) years, but may be extended based on current negotiations, or the establishment, exercise, or defense of legal claims.
Personal data relating to contractual and other legal documentation with our Subscribers or service providers will be retained permanently. Google Analytics and Mixpanel audience measurement data will be retained for fourteen (14) months from the date of receipt. Relatedly, audit logs shall be kept for fourteen (14) months.
Your GDPR Rights: As a natural person, you have a right to: (i) request access to, correction and/or erasure of your personal data; (ii) object to processing of your personal data; (iii) restrict processing of your personal data; and (iv) request a copy of your personal data, or have a copy thereof sent to another controller, in a structured, commonly used and machine readable format under the right of data portability. You may exercise these rights and submit a GDPR complaint by contacting: Privacy@Predata.com with the subject line “GDPR Notice.”
You also have the right to lodge a complaint about the processing of your personal data with an appropriate data protection authority, and, as applicable, to exercise third-party beneficiary rights
under Predata’s Standard Contractual Clauses.
Contact details for the EU data protection authorities can be found at: http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm.
Objecting to Legitimate Interest/Direct Marketing: You may object to personal data processed pursuant to our legitimate interest. In such case, we will no longer process your personal data unless we can demonstrate appropriate, overriding legitimate grounds for the processing or if needed for the establishment, exercise, or defense of legal claims. You may also object at any time to processing of your personal data for direct marketing purposes by clicking “Unsubscribe” within an automated marketing email or by submitting your request to Privacy@Predata.com with the subject line “GDPR Notice” (the latter for instances where, for example, you would not like to receive follow-ups from our sales team). In such case, your personal data will no longer be used for that purpose.
Transfer of Personal Data outside the EEA: We are self-certified under the EU-US and Swiss-US Privacy Shield for appropriate transfer of your personal data, such as to our US data centers, pursuant to Article 45(1); in these instances, you may have specific rights under the Privacy Shield (see E.U.-U.S. and Swiss-U.S. Privacy Shield Notice below). In other instances, however, we may alternatively rely on appropriate Standard Contractual Clauses to ensure adequate protection for your personal data.
Disclosure to Public Authorities: Predata may be required to disclose personal data in response to lawful requests by public authorities, including for the purpose of meeting national security or law enforcement requirements. We may also disclose personal data to other third parties when compelled to do so by government authorities or required by law or regulation including, but not limited to, in response to court orders and subpoenas.
Corporate Restructuring: In the event of a merger, reorganization, dissolution or similar corporate event, or the sale of all or substantially all of our assets, we expect that the information that we have collected, including personal data, would be transferred to the surviving entity in a merger or the acquiring entity. All such transfers shall be subject to our commitments with respect to the privacy and confidentiality of such personal data as set forth in this Notice.
Updates to this Notice: If, in the future, we intend to process your personal data for a purpose other than that which it was collected, we will provide you with information on that purpose and any other relevant information at a reasonable time prior to such processing. After such time, the relevant information relating to such processing activity will be revised or added appropriately within this Notice, and the “Effective Date” at the top of this page will be updated accordingly.
How to Contact Us: Predata is located at 379 W Broadway, New York, NY 10012. Please use this address or, preferably, reach out to Privacy@Predata.com for any questions, complaints, or requests regarding this Notice; please include the subject line “GDPR Notice.”
E.U.-U.S. and Swiss-U.S. Privacy Shield Notice
With respect to personal data received or transferred pursuant to the Privacy Shield Frameworks, Predata is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC).
In compliance with the EU-US and the Swiss-US Privacy Shield Principles, Predata commits to resolve complaints about your privacy and our collection or use of your personal information transferred to the United States pursuant to the EU-US and Swiss-US Privacy Shield Principles. European Union and Swiss individuals with Privacy Shield inquiries or complaints should first contact Predata at firstname.lastname@example.org with the subject line “Privacy Shield.”
Predata has further committed to refer unresolved privacy complaints under the EU-US and the Swiss-U.S. Privacy Shield Principles to BBB EU PRIVACY SHIELD, a non-profit alternative dispute resolution provider located in the United States and operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your Privacy Shield complaint is not satisfactorily addressed by Predata, please visit www.bbb.org/EU-privacy-shield/for-eu-consumers for more information and to file a complaint. If these processes do not result in a resolution, you may also contact your local data protection authority, the US Department of Commerce, and/or the Federal Trade Commission for assistance. If your complaint still remains unresolved, then under limited circumstances, a binding arbitration option by the Privacy Shield Panel may be available upon written notice to Predata at email@example.com, with the subject line, “Privacy Shield.”
Disclosure to Public Authorities under the Privacy Shield Predata may be required to disclose personal information in response to lawful requests by public authorities, including for the purpose of meeting national security or law enforcement requirements. We may also disclose personal information to other third parties when compelled to do so by government authorities or required by law or regulation including, but not limited to, in response to court orders and subpoenas.
Opt-In and Opt-Out to Certain Onward Transfers under the Privacy Shield: We may transfer your personal information to a third party controller, but you may opt-out of such transfer at any time by sending us an email at to firstname.lastname@example.org, with the subject line, “Privacy Shield.” We will not disclose your sensitive personal information to any third party without first obtaining your opt-in consent. You may grant such consent by contacting us at to email@example.com. In each instance, please allow us a reasonable time to process your response.
Retention of Personal Information under the Privacy Shield: We will retain the personal information processed pursuant to the Privacy Shield in a form that identifies you pursuant to our data retention periods in Retention above, or as subsequently authorized. We may continue processing such personal information for longer periods, but only for the time and to the extent such processing reasonably serves the purposes of archiving in the public interest, journalism, literature and art, scientific or historical research and statistical analysis, and subject to the protection of our privacy disclosures. After such time periods have expired, we may either delete your personal information or retain it in a form such that it does not identify you personally.
How We Protect Your Personal Information under the Privacy Shield: Predata takes very seriously the security and privacy of the personal information that it collects pursuant to the Privacy Shield. Accordingly, we will implement reasonable and appropriate security measures to protect your personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into account the risks involved in processing and the nature of such data, and comply with applicable laws and regulations. Pursuant to the Privacy Shield, Predata remains liable for the transfer of personal data to third parties acting as our agents unless we can prove we were not a party to the events giving rise to the damages.