Syndigo Privacy Notice

(last updated: June 23, 2021)

Syndigo LLC and any affiliate entity controlled directly or indirectly by it (collectively, “Syndigo”, “we”, “us”, “our”) take the protection of your personal data (“Personal Data”) very seriously. Please read this Privacy Notice (the “Notice”) to learn what we’re doing with your Personal Data, how we protect it, and your privacy rights under the European Union General Data Protection Regulation (“GDPR”), the California Consumer Privacy Act of 2018 (“CCPA”), the Lei Geral de Proteção de Dados (“LGPD”), and the Personal Information Protection and Electronic Documents Act (“PIPEDA”).

What Is Covered by this Privacy Notice?

This Notice is designed to assist you in understanding how we process your personal data when you use our website, web applications, or mobile applications (collectively, the “Services”), as well as in the course of providing you customer support services. In addition, it applies when you place an order with us, respond to a survey or fill out any forms from us, or when we process your Personal Data to sell or market our products and services.

Within the scope of this Policy, Syndigo is the business that makes the decisions about the processing of your Personal Data (also known as the “data controller”), unless expressly specified otherwise.

This Policy does not cover any other data collection or processing, including the data related to our customers’ clients which we host for our customers (and for which we act as a “data processor” or “service provider”) via the Content Experience Hub (“CXH”) application. The personal data submitted to us as a data processor or service provider within CXH is governed by the Content Experience Hub Privacy Notice (available at https://selfservice.stg-oldsyndigo-staging.kinsta.cloud/privacypolicy.html) and applicable law.

What Can You Find in this Notice?

what Personal Data we collect about you and how we obtain it;
the legal bases for processing your Personal Data;
for what purposes we use that Personal Data;
how long we keep your Personal Data;
with whom we share your Personal Data;
your rights about the Personal Data we collect about you and how you can exercise those rights;
how we protect your Personal Data; and
how to contact us.

Lawful Bases for Processing

The GDPR and other applicable data protection laws require that we have a valid reason to use your Personal Data. This is called the “lawful basis for processing.” When operating as a data controller, we may process your Personal Data:

Because you gave your consent.
Because we need to perform a contract with you.
Because we have a legitimate interest in processing your Personal Data and it is not overridden by your rights. Some of those interests include: (1) Identifying and preventing fraud; and (2) enhancing the security of our network and information systems.
Because we need to comply with the law.
On another ground, as required or permitted by law.

When we rely on legitimate interests as a lawful basis of processing, you have the right to ask us more about how we decided to choose this legal basis. To do so, please use the contact details provided below.

Where we process your Personal Data based on your consent, you may withdraw it at any time. However, this will not affect the lawfulness of our processing before you withdrew your consent. It will also not affect the validity of our processing of Personal Data performed on other lawful grounds.

Where we receive your Personal Data as part of providing our Services to you based on a contract, we require such Personal Data to be able to carry out the contract. Without that necessary Personal Data, we will not be able to provide the Services to you.

What Personal Data We Process and How We Obtain It

The table below describes the categories of Personal Data we have collected about you in the last twelve months.

Personal Data We Collect, Process, or Store	How We Obtain It
Identifiers First and last name, email address, phone number, Internet Protocol address, username, and password.	We collect this information when you create your account or log into and use the Services.
Customer Records Information Name, physical characteristics or description, address, and telephone number. Our communication with customers and prospects (correspondence, call and video recordings, and transcriptions and analyses thereof), as well as any needs, preferences, attributes and insights relevant to our potential engagement with prospects.	We collect this information when you enter it into our Services, including from any photographs connected to your account, through your interaction with us, as well as through third party services.
Internet or other similar network activity Browsing history, search history, information on a consumer's interaction with a website, application, or advertisement.	We collect this information from your activity when you use our Services or our website.
Inferences drawn from other Personal Data Profile reflecting a person's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.	We collect this information by analyzing the information that you have provided to us by entering it into our Services and when using our Services, or when you use our website.

We will not collect additional categories of Personal Data without informing you.

Cookies

To learn about Syndigo’s use of cookies, please read our Cookie Notice.

For What Purposes Do We Use Your Personal Data?

We may process your Personal Data for the purposes of:

enabling the use of our Services and website
improving our Services and website in order to better serve you
responding to your requests or questions
administering contests, promotions, or surveys
processing your transactions
developing and tracking sales leads
sending periodic emails regarding your orders or other products and services
facilitating and optimizing our sales operations.

To achieve the above purposes we need to perform different types of processing activities on your Personal Data, such as storage, access, transmission, consultation, manipulation and combination.

How Long We Keep Your Personal Data

When the purposes of processing are satisfied, we will delete the related Personal Data within thirty (30) days, or upon receipt of a verified request.

Automated Decision-Making

You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making. There will always be human intervention into decisions based on automated processing, including automated analytics, testing, and profiling. If this position changes, or there is a need and lawful basis to do so, we will inform you.

Sharing Personal Data with Third Parties

We share your personal data with certain third parties who assist us in operating our website, conducting our business, or servicing you. However, these third parties are required we enter strict data processing agreements with these third parties to ensure that they keep your Personal Data confidential, only use it for the services they provide to Syndigo, and treat your Personal Data with the same level of protection that we do. The categories of third parties to which we may disclose your Personal Data include:

Infrastructure services providers
Customer service providers
Internet service providers
Cloud service providers
Office tools providers
Payment processing providers
Customer survey providers
Email service providers
Email security services providers
Web analytics providers
Enterprise open-source solutions providers
Project management tool providers
Application hosting service providers
Sales conversations intelligence providers

Note if you are located in the EU: Some of these third parties may be located outside of the European Union or the European Economic Area. In some cases, the European Commission may have determined that in some countries, their data protection laws provide a level of protection equivalent to European Union law. You can see here the list of countries that the European Commission has recognized as providing an adequate level of protection to personal data. We will only transfer your Personal Data to third parties in countries not recognized as providing an adequate level of protection to personal data when there are appropriate safeguards in place. These may include the European-Commission-approved standard contractual data protection clauses under Article 46.2 of the GDPR, or BCRs for processors under Article 47 of the GDPR.

Note if you are located in Brazil: Some of these third parties may be located outside of Brazil. In some cases, the Autoridade Nacional de Proteção de Dados (“ANPD”) may have determined that certain countries’ data protection laws provide an equivalent level of protection to the LGPD. Where this is not the case, we will only transfer your Personal Data to third parties located in other countries when there are appropriate safeguards in place which the ANPD has confirmed as acceptable.

Sales of Your Personal Data

Syndigo generally does not directly sell your Personal Data in the conventional sense (for money). Like many companies, however, we use services that help deliver interest-based ads to you or analyze our website traffic and may transfer Personal Data to business partners for their use. Making Personal Data (such as online identifiers or browsing activity) available to these companies may be considered a “sale” under the CCPA.

If you would like to opt out of the sales of your Personal Data that take place via cookies, you can learn how below.

Other Disclosures of Your Personal Data

We may disclose your Personal Data to the extent required by law or if we have a good-faith belief that we need to disclose it in order to comply with official investigations or legal proceedings (whether initiated by governmental/law enforcement officials, or private parties). If we have to disclose your Personal Data to governmental/law enforcement officials, we may not be able to ensure that those officials will maintain the privacy and security of your Personal Data.

We may also disclose your Personal Data if we sell or transfer all or some of our company’s business interests, assets, or both, or in connection with a corporate restructuring. Finally, we may disclose your Personal Data to our subsidiaries or affiliates, but only if necessary for business purposes, as described in the section above.

We reserve the right to use, transfer, sell, and share aggregated, anonymous data for any legal purpose. Such data does not include any Personal Data. The purposes may include analyzing usage trends or seeking compatible advertisers, sponsors, and customers.

Risk of Harm

Whenever Personal Data is collected and processed, there is always a slight risk that the Personal Data may be breached, misused, or otherwise result in a harm to you. However, we take several measures to ensure that this risk is mitigated as much as possible. These measures include limiting the Personal Data about you that we collect and process to solely what is necessary, not collecting sensitive Personal Data about you, and implementing appropriate security measures, as described in this Notice.

What Privacy Rights Do You Have?

You have specific rights regarding your Personal Data collected and processed by us. In this section, we first describe those rights and then we explain how you can exercise those rights.

Right to Know What Happens to Your Personal Data
This is called the right to be informed. It means that you have the right to obtain from us all information regarding our data processing activities that concern you, such as how we collect and use your Personal Data, how long we will keep it, and who it will be shared with, among other things.

We are informing you of how we process your Personal Data with this Notice.

Right to Know What Personal Data Syndigo Has About You
This is called the right of access. This right allows you to ask for full details of the Personal Data we hold about you.

You have the right to obtain from us confirmation as to whether or not we process Personal Data concerning you, and, where that is the case, a copy or access to the Personal Data and certain related information. Once we receive and confirm that the request comes from you or your authorized agent, we will disclose to you:

The categories of Personal Data we collected about you;
The categories of sources for the Personal Data we collected about you;
Our purposes for processing that Personal Data;
Where possible, the envisaged period for which the Personal Data will be stored, or, if not possible, the criteria used to determine that period;
The categories of third parties with whom we share that Personal Data;
The specific pieces of Personal Data we collected about you;
If we sold or disclosed your Personal Data for a business purpose, two separate lists laying out the:

- - categories of Personal Data sold, and the categories of recipients who purchased the Personal Data; and
  - categories of Personal Data disclosed for a business purpose, identifying the categories of recipients who obtained the Personal Data;
  - If we rely on legitimate interests as a lawful basis to process your Personal Data, the legitimate interests pursued by us or by a third party; and
  - The appropriate safeguards for transferring data from the EU to a third country, if applicable.

Please take into account that the GDPR allows us not to satisfy your access request when:

- - you already have the information;
  - providing such information proves impossible or would involve a disproportionate effort, or in so far providing such information is likely to render impossible or seriously impair the achievement of the objectives of that processing; and
  - that Personal Data must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, including a statutory obligation of secrecy.

The CCPA does not allow us to disclose account passwords or security questions and answers. We can inform you that we have this information generally, but we may not provide the specific items to you for security and legal reasons.

Right to Correct Your Personal Data
This is called the right to rectification. It gives you the right to ask us to correct anything that you think is wrong with the Personal Data we have on file about you and to complete any incomplete Personal Data.

Right to Delete Your Personal Data
This is called the right to erasure, right to deletion or the “right to be forgotten”. This right means you can ask for your Personal Data to be deleted.

You may be able to remove information from your account after logging in or even to entirely delete your account on our Services. If there is any other Personal Data you would like deleted, you can ask us to do so using the contact information listed in this Notice.

Sometimes we can delete your information, but other times it may not be possible, such as when the law tells us we cannot do so. If that is the case, we will consider if we can limit how we use it. There may also be circumstances where we deny your request to delete your information under applicable law, such as if we or our service providers need to retain the Personal Data to:

a) Complete the transaction for which we collected the Personal Data;
b) Provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you;
c) Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities;
d) Debug products to identify and repair errors that impair existing intended functionality;
e) Enable solely internal uses reasonably aligned with your expectations based on your relationship with us;
f) Comply with a legal obligation, including (but not limited to) obligations from the California Electronic Communications Privacy Act; or
g) Make other internal and lawful uses of that information that are compatible with the context in which you provided it.

Right to Ask us to Change How We Process Your Personal Data
This is called the right to restrict processing. It is the right to ask us to only use or store your Personal Data for certain purposes.

You have this right in certain occasions, such as where you believe the data is inaccurate or the processing activity is unlawful. This right enables you to ask us to suspend the usage of Personal Data about you, for example if you want us to establish its accuracy or the reason for processing it.

Right to Ask Us to Stop Using Your Personal Data
This is called the right to object. This is your right to tell us to stop using your Personal Data. You have this right where we rely on a legitimate interest of ours (or of a third party). Also, you have the right to object at any time to the processing of your Personal Data for direct marketing purposes.

We will stop processing the relevant Personal Data unless: (i) we have compelling legitimate grounds for the processing that override your interests, rights, or freedoms; or (ii) we need to continue processing your Personal Data to establish, exercise, or defend a legal claim.

Right to Port or Move Your Personal Data
This is called the right to data portability. It is the right to ask for and download Personal Data about you that you have given us or that you have generated by virtue of the use of our services, so that you can:

- - move it;
  - copy it;
  - keep it for yourself; or
  - transfer it to another organization.

We will provide your Personal Data in a structured, commonly used, and machine-readable format. When you make a data portability request electronically, we will provide you a copy in electronic format.

Right to Withdraw Your Consent
Where we rely on your consent as the legal basis for processing your Personal Data, you may withdraw your consent at any time. If you withdraw your consent, our use of your Personal Data before you withdraw is still lawful.

If you have given consent for your details to be shared with a third party, and wish to withdraw this consent, please also contact the relevant third party in order to change your preferences.

Right Not to be Discriminated Against for Exercising your Privacy Rights
We will not discriminate against you for exercising any of your privacy rights, meaning we will not:

- - deny you goods or services;
  - charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties; or
  - provide you a different level or quality of goods or services.

Right to Lodge a Complaint with a Supervisory Authority
If the GDPR applies to the processing of your Personal Data with us, the GDPR grants you the right to lodge a complaint with a supervisory authority if you are not satisfied with how we process your Personal Data.

In particular, you can lodge a complaint in the Member State of the European Union of your habitual residence, place of work, or of the alleged violation of the GDPR.

If the LGPD applies to the processing of your Personal Data with us, the LGPD grants you the right to lodge a complaint with the ANPD if you are not satisfied with how we process your Personal Data.

Right to Opt Out of the Sale of Your Personal Data

You have the “right to opt out”, which means you have the right to ask us to not sell your Personal Data at any time.

As our use of some of the cookies that we use for statistical purposes and marketing purposes is the only sale of your Personal Data that Syndigo may be engaging in, the only way to opt out of sales of Personal Data is to change your cookie preferences through our cookie consent management platform In particular, you need to choose not to allow the following categories of cookies:

- - Statistics
  - Marketing

Please consider that the preferences you submit through the cookie consent management platform, including your requests to opt out from the sale of personal information, may be stored in cookies or similar technologies that are specific to your browser. If this browser is configured to block cookies or similar technologies, our tool may not be able to store your preferences. In addition, deleting cookies on this browser may result in your preferences being removed. If your preferences are removed after you delete cookies from this browser, you will have to update these preferences again. Also, remember that private browsing technologies (such as incognito mode) automatically delete all local storage and cookies when the browsing session ends, preventing us from recording your choice made during the session; and prevent us from accessing any local storage created outside of the current session, which does not enable us to access the choice you made during a normal or previous private browsing session.

We’ll only store your preferences only in this browser. Because some companies may not connect information about this browser with other web browsers or devices you may use (such as a web browser on another computer you may use, or one on a mobile device), you need update your preferences through the cookie consent management platform to set your preferences separately for other browsers or devices you may use.”

Your Right to Opt In to the Sale of Your Personal Data
As our use of some of the cookies that we use for statistical purposes and marketing purposes is the only sale of your Personal Data that Syndigo may be engaging in, the only way to opt in to sales of Personal Data is to change your cookie preferences through our cookie consent management platform In particular, you need to choose to allow the following categories of cookies:

- - Statistics
  - Marketing

How Can You Exercise Your Privacy Rights?

To exercise any of the rights described above, please submit a request by either:

- - Calling us at 1-877-847-5467; or
  - Contacting us by email as privacy@syndigo.com (Preferred method)

Verification of Your Identity

Bear in mind that to evaluate your privacy rights requests, we need to be sure it was you who made the request. Consequently, we may need some information to confirm that you are who you say you are.

For requests submitted via password-protected accounts, your identity is already verified.

For requests sent by other means, you will need to provide us with sufficient information that allows us to reasonably verify you are the person about whom we collected personal data. Generally, we will request only information that we may have about you to confirm your identity, but under some circumstances we may require additional information or documentation to complete your request. We cannot respond to your request or provide you with personal data if we cannot verify your identity or authority to make the request. Making a request does not require you to create an account with us.

We will only use the Personal Data you provide us in a request to verify your identity or authority to make the request.

Please note that you may only make a consumer request to know or data portability twice within a 12-month period under the CCPA.

Verification of Authority

If you are submitting a request on behalf of somebody else, we will need to verify your authority to act on behalf of that individual. When contacting us, please provide us with proof that the individual gave you signed permission to submit this request, a valid power of attorney on behalf of the individual.

Alternatively, you may ask the individual to directly contact us by using the contact details above to verify their identity with us and confirm with us that they gave you permission to submit this request.

We will only use the Personal Data you provide us in a request to verify your authority.

Response Timing and Format of Our Responses

We will confirm the receipt of your request within ten (10) days and, in that communication, we will also describe our identity verification process (if needed) and when you should expect a response, unless we have already granted or denied the request.

Please allow us up to thirty (30) days to reply to your from the day we received your request. If we need more time (up to 90 days in total), we will inform you of the reason why, and the extension period, in writing. If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will send our written response by mail or electronically, at your option.

If we cannot satisfy a request from you, we will also explain why in our response.

We will not charge a fee for processing or responding to your requests unless we determine that your request is excessive, repetitive, or manifestly unfounded. In those cases, we will tell you why we made that determination and provide you with a cost estimate before completing your request.

Privacy of Children

The Services are not directed at, or intended for use by, children under the age of 13.

Data Integrity & Security

We are strongly committed to keeping your Personal Data safe. We have implemented and will maintain technical, administrative, and physical measures that are reasonably designed to help protect your Personal Data from unauthorized processing. Unauthorized processing includes unauthorized access, exfiltration, theft, disclosure, alteration, or destruction.

Changes to this Notice

If we make any material change to this Notice, we will post the revised Notice to this web page. We will also update the “Effective” date. By continuing to use our Services after we post any of these changes, you accept the modified Notice.

Contact Us:

If you have any questions about this Notice or our processing of your Personal Data, or want to submit a verifiable consumer request, please write to the Syndigo privacy team by email at privacy@syndigo.com or call at 1-877-847-5467 or by postal mail at:

Syndigo LLC
Attn: Debra Osborn, Senior Counsel
141 W. Jackson Blvd., Ste 1220
Chicago, IL 60604
United States

Please allow up to four weeks for us to reply.

European Union Representative

We have appointed VeraSafe as our representative in the EU for data protection matters. While you may also contact us, VeraSafe can be contacted on matters related to the processing of Personal Data. To contact VeraSafe, please use this contact form: https://verasafe.com/public-resources/contact-data-protection-representative or via telephone at: +420 228 881 031.

Alternatively, VeraSafe can be contacted at:

VeraSafe Ireland Ltd
Unit 3D North Point House
North Point Business Park
New Mallow Road
Cork T23AT2P
Ireland

VeraSafe Czech Republic s.r.o.
Klimentská 46,
Prague 1,
11002,
Czech Republic

United Kingdom Representative

We have appointed VeraSafe as our representative in the UK for data protection matters. While you may also contact us, VeraSafe can be contacted on matters related to the processing of Personal Data. To contact VeraSafe, please use this contact form: https://verasafe.com/public-resources/contact-data-protection-representative or via telephone at +44 (20) 4532 2003.