Syndigo CES - Privacy Policy

Content Experience Suite (“CES”)

Privacy Notice

Effective on: 3/12/2023

Introduction and Scope

Syndigo LLC (“Syndigo,” “we,” “us,” “our”) takes the protection of personally data (“Personal Data”) very seriously.

We collect and process your Personal Data when providing you with access to and use of our web-based software application solution called Content Experience Suite (CES) (the “Services”). This Privacy Notice (the “Notice”) gives you information about what Personal Data we process to provide the Services. When we refer to “you”, we mean the end-users of our Services and the visitors to our customer’s websites where Syndigo’s Enhanced Content application, an analytics feature of CES, is enabled.

In connection with the Services and for the purposes described in this Notice, we act as a storage and service provider. What this means is that we process your Personal Data at our customers’ request to provide you with access to and use of the Services, and to provide analytics to our customers on their instructions.

This Notice does not apply to Personal Data we collect by other means or process for other purposes, such as Personal Data that we receive directly through Syndigo’s own publicly accessible website (www.syndigo.com), Personal Data we process to provide you with customer support, Personal Data processed in the context of the Syndigo University, as part of our sales and marketing efforts, or the Personal Data of our employees. In those contexts, we act as a controller and our general privacy notice applies.

Controllership

In the context of this Notice, Syndigo acts as a “data processor” or “service provider” for the Personal Data we process for our customers through CES. This means that our customers determine the type of Personal Data they provide to us to process on their behalf and what Syndigo must do with it. We typically have no direct relationship with the individuals whose Personal Data we receive from our customers.

Basis of Processing

Within the scope of this Notice, we process Personal Data based on the documented instructions of our customers. To learn about our customers’ lawful bases for processing your Personal Data, please read their privacy notices.

How We Receive Personal Data

We receive your Personal Data in the following ways:

you provide it directly to us as part of using CES as customer-appointed key contact;
our customers (including their employees, contractors, and other representatives of the company) provide it to us;
the Services record your actions while you use the Services;
you visit our customer’s website (only applicable to website visitors of Syndigo customers using the Enhanced Content analytics feature); or
we receive it from other companies within our corporate group.

Categories of Personal Data

We may process the following types of Personal Data:

Identifiers: Username to access the Services, password (hashed)
Biographical Information: First and last name
CES application role: Administrator or regular user
Professional information: role/job title, and company name
Contact information: Business email address, phone number, and physical address
account information, such as username and password (hashed); and
Web analytics data: user, session, and visit IDs (randomly generated GUID), IP address, and site behavior (only applicable to visitors of websites where customer Enhanced Content is embedded).

Purposes of Processing

We process your Personal Data for the following purposes:

enabling your use of and use of the Services, including for user authentication
providing web analytics to our customers who use Enhanced Content

Data Retention

We retain Personal Data for as long as instructed by our respective customer (who typically acts as a controller). In the absence of any instruction by the customer, Personal Data used for a project shall be purged once the project is complete, including from backups. As a general rule, we will delete all Personal Data associated with CES end-users within 30 days from the day the account with our customer was cancelled.

Sharing Personal Data with Third Parties

We share your Personal Data with our subsidiaries and affiliates, and with our service providers, who process your Personal Data on our behalf and who agree to use the Personal Data only to assist us in providing our Services or as required by law.. In particular, we share your Personal Data as follows:

1. Critical Insights, Inc. (USA): They provide cybersecurity consulting services and analysis to Syndigo related to the Services.
2. Databricks, Inc. (USA): They provide data management and analytics services to Syndigo.
3. Flexential Corporation (USA): They are a co-location data center for data stored in CES.
4. Microsoft Corporation (USA): Syndigo uses Azure infrastructure for CES.
5. Navisite, LLC (USA): They provide emergency database administration.
6. Okta, Inc (USA): They provide identity and access management for CES users.
7. Pendo.io, Inc (USA): They provide product analytics.
8. Salesforce.com, Inc (USA): We use this platform to send notifications to you if there are any outages with the Services.
9. Twilio, Inc. (USA): We use this platform to send customer notifications.

Additionally, even if customer support is not within the scope of this Notice, please note that employees from other Syndigo entities may process Personal Data to provide you with customer support. These transfers take place in accordance with Syndigo’s Intra Group Data Transfer Agreement, which includes safeguards such as the Standard Contractual Clauses (also known as the “SCCs”) approved by the European Commission under Article 46.2 of the GDPR.

International Transfers of Personal Data

Syndigo LLC is based in the USA. Our service providers operate globally, but store data in the USA. This means that your Personal Data is primarily stored in the USA by us and our service providers.

For individuals whose Personal Data is safeguarded by data protection laws in the EU or UK: Before transferring your Personal Data from these regions to third parties outside the European Economic Area or the UK, we ensure that there are adequate levels of protection in place for your Personal Data. In cases where we transfer your Personal Data from these regions to third parties in countries which are not recognized as providing an adequate level of protection to Personal Data, we transfer Personal Data when there are appropriate safeguards in place. These safeguards include the Data Privacy Framework, the EU 2021 SCCs, UK International Transfer Addendum, UK International Data Transfer Agreement, and any other approved data transfer mechanisms.

For individuals whose Personal Data is safeguarded by the Data Privacy Framework: Before sending your Personal Data to a third party, we will do one of two things:

• Seek your consent; or
• Demand privacy and security: We will ensure the third party maintains the same level of privacy and security for your data as we do. We are accountable or liable for the protection of your Personal Data when we transfer it to others except when we can prove that we are not responsible for an event that leads to any unauthorized or improper processing. We either send it to a country, territory or sector within a country that is recognized as providing the same level of personal data protection as the country of origin or the Data Privacy Framework, or use safeguards like the Data Privacy Framework (as defined below) or the SCCs with necessary adjustments for transfers from the UK or Switzerland, or use specific transfer instruments like the UK International Data Transfer Agreement.

We are accountable and liable for the protection of your Personal Data when we transfer it to others except when we can prove that we are not responsible for an event that leads to any unauthorized or improper processing.

Other Disclosure of Your Personal Data

We may disclose your Personal Data if the law requires it, or if we have a good-faith belief that we need to disclose it to comply with official investigations or legal proceedings (where initiated by government officials or private parties). We may also disclose your Personal Data if we sell or transfer all or some of our company’s business interests, assets, or both, or in connection with a corporate restructuring. Finally, we may disclose your Personal Data to our subsidiaries or affiliates for business purposes, if necessary and as described in the section above.

We reserve the right to use aggregated, anonymous data about individuals whose Personal Data we process in our CES application for any legal business purpose. Such data does not include any Personal Data. The purposes may include analyzing usage trends or seeking compatible advertisers, sponsors, and customers.

If we must disclose your Personal Data to comply with official investigations or legal processing started by governmental and/or law enforcement officials, we may not be able to ensure that such recipients will maintain the privacy and security of your Personal Data.

Cookies

To learn about Syndigo’s use of cookies, please read our Cookie Notice for Context Experience Suite (CES).

Data Integrity & Security

Syndigo has implemented and will maintain technical, administrative, and physical measures that are reasonably designed to help protect Personal Data from unauthorized processing such as unauthorized access, disclosure, alteration, or destruction.

Risk of Harm

Whenever Personal Data is collected and processed, there is always a slight risk that the Personal Data may be breached, misused, or otherwise result in a harm to you. However, we take several measures to ensure that this risk is mitigated as much as possible. These measures include limiting the Personal Data about you that we collect and process to solely what is necessary, not collecting sensitive Personal Data about you, and implementing appropriate security measures, as described in this Notice.

Your Privacy Rights

If we process your Personal Data, you may have the right to request access to (or to update, correct, or delete) such Personal Data. You may also have the right to ask that we limit our processing of such Personal Data, as well as the right to object to our processing of such Personal Data. You may also have the right to data portability.

Please note that requests should generally be sent directly to the Syndigo customer who provided your Personal Data to us. Syndigo has limited rights to access and process the Personal Data our customers submit to us or instruct us to process. If sending the request directly to the Syndigo customer is not possible for any reason and you decide to contact us with such a request, please provide the name of the Syndigo customer who submitted your Personal Data to us. We will forward your request to that customer and provide any needed assistance as they respond to your request.

In this section, we also acknowledge the right of EU, UK and Swiss individuals to access their Personal Data pursuant to the Data Privacy Framework (as defined below) and will grant individuals reasonable access to Personal Data we received pursuant to the Data Privacy Framework Principles when instructed by our customers. In addition, we will take reasonable steps to permit individuals to correct, amend, or delete such information that is demonstrated to be inaccurate or processed in violation of the Data Privacy Framework Principles. Additionally, if we have received your Personal Data in reliance on the Data Privacy Framework, you may also have the right to opt out of having your Personal Data shared with third parties and to revoke your consent to our sharing your Personal Data with third parties. You may also have the right to opt out if your Personal Data is used for any purpose that is materially different from the purpose(s) for which it was originally collected or which you originally authorized. An individual may request to access their Personal Data, or otherwise correct, amend, delete, withdraw their consent or limit the processing of their Personal Data in line with the Data Privacy Framework Principles by contacting our customer.

EU-U.S. and Swiss-U.S. Data Privacy Frameworks, and the UK Extension

With respect to Personal Data processed in the scope of this Notice, Syndigo LLC complies with the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”) (the “Data Privacy Framework”) as adopted and put forward by the U.S. Department of Commerce regarding the processing of Personal Data. Syndigo commits to upholding and has certified to the Department of Commerce that it adheres to the Data Privacy Framework Principles. If there is any conflict between the terms in this Notice and the Data Privacy Framework Principles, the Data Privacy Framework Principles shall govern.

To learn more about the Data Privacy Framework, and to view Syndigo’s certification information, please visit https://www.dataprivacyframework.gov and https://www.dataprivacyframework.gov/s/participant-search (search for Syndigo LLC),, respectively.

U.S. Regulatory Oversight

Syndigo is subject to the investigatory and enforcement powers of the United States Federal Trade Commission.

Dispute Resolution

Where a privacy complaint or dispute cannot be resolved through our internal processes, we have agreed to participate in the VeraSafe Data Privacy Framework Dispute Resolution Procedure. Subject to the terms of the VeraSafe Data Privacy Framework Dispute Resolution Procedure, VeraSafe will provide appropriate recourse free of charge to you. To file a complaint with VeraSafe and participate in the VeraSafe Data Privacy Framework Dispute Resolution Procedure, please submit the required information through the webform located here: https://www.verasafe.com/privacy-services/dispute-resolution/submit-dispute/

If a complaint or dispute related to Personal Data cannot be resolved through Syndigo’s internal process, in addition to the VeraSafe Dispute Resolution Procedure, Syndigo has agreed to cooperate with the EU data protection authorities and the Swiss Federal Data Protection and Information Commissioner, and to take part in the dispute resolution procedures of the panel established by such data protection authorities.

Binding Arbitration

If your dispute or complaint cannot be resolved by us, nor through the dispute resolution program established by VeraSafe, you may have the right to require that we enter binding arbitration with you under the Data Privacy Framework’s “Recourse, Enforcement and Liability Principle” and Annex I of the Data Privacy Framework.

Privacy of Children

Our services are not meant for anyone under the age of 18 and we do not knowingly collect Personal Data from minors. If we learn that we process Personal Data from a child under the age of 13, we will delete the Personal Data we have stored as quickly as possible. If you believe that we might have any Personal Data from or about a child under the age of 13, please contact us or the customer that has provided the child’s information to us.

Changes to this Notice

If we make any material change to this Notice, we will post the revised Notice to this web page. We will also update the “Effective” date. By continuing to use CES after we post any of these changes, you accept the modified Notice.

In our latest update as of the Last Updated Date, we implemented the following changes:

We have clarified what is within the scope of this Notice and what is not.
We have specified the types of Personal Data we process in more detail.
We have specified the retention period in more detail.
We eliminated information regarding the transfer of Personal Data to other entities that was not applicable. Instead, we focused on providing you with details about the parties responsible for processing your Personal Data and the safeguards we have in place to protect it.
We have included information about our commitment to comply with the Data Privacy Framework and your rights under it.

Contact Us

If you have any questions about this Notice or our processing of your Personal Data, please write to our Privacy Team by email at privacy@syndigo.com or by postal mail at:

Syndigo LLC

Attn: Debra Osborn, Senior Counsel

141 W. Jackson Blvd., Ste 1220

Chicago, IL 60604

United States

Please allow up to four weeks for us to reply.

European Union Representative

We have appointed VeraSafe as our representative in the EU for data protection matters. While you may also contact us, VeraSafe can be contacted on matters related to the processing of Personal Data. To contact VeraSafe, please use this contact form: https://www.verasafe.com/privacy-services/contact-article-27-representative/ or via telephone at: +420 228 881 031.

Alternatively, VeraSafe can be contacted at:

VeraSafe Ireland Ltd

Unit 3D North Point House

North Point Business Park

New Mallow Road

Cork T23AT2P

Ireland

United Kingdom Representative

We have appointed VeraSafe as our representative in the United Kingdom for data protection matters. While you may also contact us, VeraSafe can be contacted on matters related to the processing of Personal Data. To contact VeraSafe, please use this contact form: https://verasafe.com/public-resources/contact-data-protection-representative or via telephone at: +44 (20) 4532 2003.

Alternatively, VeraSafe can be contacted at:

VeraSafe United Kingdom Ltd.

37 Albert Embankment

London SE1 7TL

United Kingdom

Data Protection Officer

We have appointed VeraSafe as our Data Protection Officer (DPO). While you may contact us directly, VeraSafe can also be contacted on matters related to the processing of Personal Data. VeraSafe’s contact details are:

VeraSafe, LLC

100 M Street S.E., Suite 600

Washington, D.C. 2000

USA

Email: experts@verasafe.com

Web: https://www.verasafe.com/about-verasafe/contact-us/