The information in this section 14 is provided for the benefit of residents of the European Union, European Economic Area, the U.K. and Switzerland (collectively, “Europe”, “European”), and reflects additional disclosures which you are entitled to under the General Data Privacy Framework Services Data Protection Regulation (GDPR) and equivalent local data protection laws, in circumstances where those laws apply.
Legal basis for using your personal data. For each activity that uses personal data (see section 3) we are required to establish a ‘legal basis’ for processing. The legal bases we rely on are:
- Necessary for us to perform a contract with you or take steps at your request prior to entering into a contract (“Performance of Contract”) – if we have entered into a contract with you as an individual, and we need to process personal data to provide our services and support, and to administer those services.
- Necessary for us to realize a legitimate interest based on an assessment of that interest and your privacy and other fundamental interests (“Legitimate Interest”) – if we have entered into a contract with your business, we have a legitimate interest in processing your personal data (e.g., your business contact information) to the extent necessary to provide our services and support, and to administer those services. We also have a legitimate interest in carrying out analytics and improvement, marketing and advertising to businesses, administering research and surveys, as well as establishing, exercising and defending our legal rights. In each case, we ensure that our legitimate interest is not outweighed by any impact on your rights and freedoms that results from our use of your personal data.
- Necessary for us to comply with an applicable legal obligation (“Complying with a Legal Obligation”) – for example, if we are required to disclose your personal data in response to legal proceedings, or if we need to provide personal data to tax authorities or other regulators.
- With your consent (“Consent”) – for example, where we are required by local law to obtain your consent prior to sending you direct marketing messages or collecting information through the use of non-essential cookies or similar technologies. In these cases, you can withdraw your consent at any time with future effect.
Overview of European Rights. Where European data protection laws apply you have a right to request access to and correction (i.e., rectification) or erasure of your personal data, to data portability, to restriction of processing of your personal data, to object to the processing of your personal data under certain circumstances, and to lodge a complaint with a supervisory authority. For more information about these rights, please visit the European Commission’s “My Rights” page relating to GDPR, which can be displayed in a number of languages.
Right to Object to Processing of Personal Data
- For Direct Marketing Purposes. You have the absolute right to object to the processing of your personal data for direct marketing purposes, including profiling for purposes of direct marketing.
- For Public Interest or Exercise of Official Authority. You have the right to object if the processing of your personal data is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- For Legitimate Interests. You have the right to object if the processing of your personal data is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Retention. We retain the personal data we collect as reasonably necessary for the purposes described in this privacy policy or otherwise disclosed to you at the time of collection. We retain personal data as necessary to comply with our tax, accounting, operational and recordkeeping obligations, to provide you with the services you have requested, to protect, defend or establish ours and others’ rights, defend against potential claims, and comply with our legal obligations. In some cases, we may deidentify or aggregate personal information in compliance with European data protection laws.
Data Privacy Framework (“DPF”) Program Statement
- EU-U.S. Data Privacy Framework (for personal information transferred from the EU to the U.S.)
- UK Extension to the EU-U.S. Data Privacy Framework (for personal information transferred from the UK and Gibraltar to the U.S.)
- Swiss-U.S. Data Privacy Framework (for personal information transferred from Switzerland to the U.S.)
Personify, Inc., and its affiliates, a2z Personify, LLC, WildApricot Inc. and MemberClicks, LLC (“Personify,” “we,” “our,” “us”) complies with the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”) as set forth by the U.S. Department of Commerce (collectively, the “Frameworks”). Personify has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (“EU-U.S. DPF Principles”) regarding the processing of personal information received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Personify has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (“Swiss-U.S. DPF Principles”) regarding the processing of personal information received from Switzerland in reliance on the Swiss-U.S. DPF (together, the “Principles”). If there is any conflict between the terms in this Policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the relevant Principles shall govern. To learn more about the Data Privacy Framework program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
Personal Information We Process. We collect the categories of personal information described in the “Personal Data We Collect” section of our Policy. We process this personal information for the purposes stated in the “How We Use Personal Data” section of our privacy policy. We commit to processing the personal information we receive under the Frameworks in accordance with the Principles.
U.S. Entities. The following Personify entities adhere to the Principles: Personify, Inc., and its affiliates, a2z Personify, LLC, WildApricot Inc. and MemberClicks, LLC.
Your Choices. Pursuant to the Frameworks, EU, UK, and Swiss individuals (“you”) have the right to obtain confirmation of whether we maintain your personal information in the United States. Upon your verifiable request, we will provide you with access to the personal information that we hold about you, and you may also request that we correct, amend, or delete personal information where it is inaccurate, or has been processed in violation of the Principles, except where the burden or expense of providing access would be disproportionate to the risks to your privacy in the case in question, or where the rights of other persons would be violated.
You may also opt out of our disclosure of your personal information to a third-party, who is not an agent or operating upon our instructions pursuant to a contract (“Third Party”) ,or the use of your personal information for a purpose that is materially different from the purpose(s) for which the personal information was originally collected or subsequently authorized by you. To do so, please contact us at personifyprivacy@personifycorp.com.
Sensitive Personal Information. For any sensitive personal information we collect about you (i.e., personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual), we will obtain affirmative express consent (i.e., opt in) from you if such data will be disclosed to a Third Party or used for a purpose other than those for which it was originally collected or subsequently authorized by you. In addition, we will treat as sensitive any personal information received from a third party where the third party identifies and treats it as sensitive.
Transfers to Third Parties. As described in more detail in Section 4. “Disclosures of Personal Data” section of our Policy, we transfer personal information to Third Parties, such as agents or service providers, non-affiliated parties, and to appropriate vendors (e.g., to verify identity and to investigate and prevent fraud, potential threats to safety, illegal activities, and violations of terms or this Policy). We contractually require Third Parties to whom we transfer personal information to provide equivalent levels of protections.
Contacting Us, Complaints, and Dispute Resolution. In compliance with the Frameworks, Personify commits to resolve complaints about our collection and use of your personal information. If you have inquiries or complaints regarding our handling of personal information received in reliance on the Frameworks, you should first contact us at Personify, 7010 Easy Wind Drive, Suite 210 Austin, Texas 78752, personifyprivacy@personifycorp.com.
Non-Human Resources Data. If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.
Human Resources Data. In compliance with the Frameworks, Personify commits to cooperate and comply with the advice of the panel established by the EU data protection authorities, the UK Information Commissioner’s Office, the Gibraltar Regulatory Authority, and the Swiss Federal Data Protection and Information Commissioner, as applicable, with regard to unresolved complaints concerning our handling of human resources personal information received in reliance on the Frameworks in the context of the employment relationship.
Binding Arbitration. If your complaint cannot be resolved through the above channels, there may be a possibility, under certain conditions, for you to invoke binding arbitration for complaints regarding DPF compliance not resolved by any of the other DPF mechanisms. See DPF Principles Annex 1 at https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf?tabset-35584=2 for more information.
FTC Enforcement. The U.S. Federal Trade Commission has jurisdiction over Personify’s compliance with the Frameworks.
Law Enforcement or Public Authority Requests. In accordance with our legal obligations, we may be obligated to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
Liability for Onward Transfers. Personify remains responsible and liable under the Frameworks for any onward transfers of your personal information to Third Parties.