Last updated: Feb 1st, 2023
Smarketing Cloud Ltd. (“Smarketing Cloud,” “we,” “us,” or “our”) provides a SaaS customer relationship management platform that optimizes the communications and interactions of our business clients (“Client,” “you,” or “your“) with the customers/end-users of their products and services (“Customers“). This Product Privacy Statement explains how Smarketing Cloud collects, uses, discloses, and otherwise processes Customers’ personal information or personal data on behalf of our Clients in connection with our Clients use of our products and services (collectively, the “Services“).
Personal information or personal data refers to any data or information that can be used to identify a natural person, and are subject to applicable data protection laws, such as the EU General Data Protection Regulation 2016/679 (“GDPR”) or the California Consumer Privacy Act (Assembly Bill 375), as amended (“CCPA”). We use the term “Personal Data” throughout this Product Privacy Statement to mean, as applicable, “personal data” (under the GDPR), “personal information” (under the CCPA), or similarly defined personally identifiable information governed by an applicable data protection law that is made available to Smarketing Cloud in connection with the Services.
With respect to cases in which Smarketing Cloud collects or receives Personal Data under and/or pursuant to the direction of our Clients, Smarketing Cloud is acting as a data processor (under GDPR) or service provider (under CCPA), and our Clients are the data controllers (under GDPR) or businesses (under CCPA) with respect to such Personal Data. To this end, if not stated otherwise in this Product Privacy Statement or in a separate disclosure, we process such Personal Data as a processor/service provider on behalf of our Clients (and their affiliates) who are the controller/business that have collected the Personal Data.
Smarketing Cloud’s processing of Personal Data in connection with the Services is governed by this Product Privacy Statement and our agreements with each Client. In the event of any conflict between this Product Privacy Statement and the corresponding Client Agreement, the Client Agreement will control to the extent permitted by applicable law.
For detailed privacy information related to a Client who uses our Services to process Personal Data, please contact our Clients directly. We are not responsible for and have no control over the privacy or data security practices of our Clients, which may differ from those explained in this Product Privacy Statement. This Product Privacy Statement is also not a substitute for any privacy notice that our Clients are required to provide to their Customers, employees and other personnel authorized to use the Services (“Client Users”), or other end-users. An individual who seeks access, or who seeks to correct, amend, or delete Personal Data that is stored in our Services on behalf of our Clients, in each case as permitted by applicable data protection laws, should direct their query to our Clients (the data controller/business).
What Personal Data Does Smarketing Cloud Collect or Receive through the Services?
Smarketing Cloud receives or collects Personal Data which is stored in or transmitted via the Services by, or on behalf of, our Clients. This may include Personal Data such as contact information of our Client’s Customers (first and last name, email or physical address, social media handle, telephone number and IP address), gender, order and purchase history, correspondence between Client Users and their Customers, medical information (for Clients who are covered entities and have engaged Smarketing Cloud as a business associate under HIPAA) and other data our Clients collect about their Customers’ use of their products and services. This Personal Data may be provided to us directly by our Clients or through third-party services such as connections and/or links to third party websites and/or services that Smarketing Cloud enables Client to integrate with and access through the Services, including, without limitation, via application programming interfaces, workflows or webhooks (“Third-Party Applications”).
We also collect Personal Data from Client Users such as name, email address, third-party account credentials and data about Client Users’ devices (such as browser type, operating system, device identification number and IP address) and usage of our Services (such as pages viewed, date/time stamps and searches performed) through log files and other technologies, some of which may qualify as Personal Data. This Personal Data may be received or collected by us directly from our Clients and Client Users, through Third-Party Applications or by automated means, such as cookies (e.g. essential cookies) and web beacons through our use of sub-processors.
How Does Smarketing Cloud Use Personal Data?
We use the data we collect at the instruction of our Clients and in accordance with our Client Agreements, to operate and provide the Services and for related internal purposes, including: (a) enabling Client Users to access and use the Services; (b) maintain the security of the Services; (c) providing information about the Services, responding to inquiries, complaints, and requests for support; (d) as we believe necessary or appropriate to comply with applicable law, enforce the terms and conditions that govern the Services, protect our rights, privacy, safety or property, and/or that of you or others, and protect, investigate and deter against fraudulent, harmful, unauthorized, unethical or illegal activity; and (e) improving our Services, including by using aggregated and/or de-identified data.
How Does Smarketing Cloud Share Personal Data?
We share the Personal Data we collect with (a) our Clients and Client Users, to the extent the Personal Data pertains to Client Users and Client’s Customers; (b) sub-processors that help us provide, manage, secure and improve the Services; and (c) Third-Party Applications that you have set up for integration.
Client Users that register, install or access any Third Party Applications may be required to accept privacy notices provided by those Third Party Applications. Please review those notices carefully, as Smarketing Cloud does not control and cannot be responsible for these Third Party Applications’ privacy or information security practices.
We may also share Personal Data with government, law enforcement officials or private parties as required by law, when we believe such disclosure is necessary or appropriate to (a) comply with applicable law; (b) enforce the terms and conditions that govern the Services; (c) protect our rights, privacy, safety or property, and/or that of you or others; and (d) protect, investigate and deter against fraudulent, harmful, unauthorized, unethical or illegal activity, in the event of active or prospective litigation or arbitration, for regulatory compliance efforts and/or audit.
How Does Smarketing Cloud Secure and Protect Personal Data?
The security of Personal Data is important to us. Smarketing Cloud uses generally accepted physical, electronic, and procedural safeguards to protect Personal Data submitted to us (both during transmission and once it is received) from loss, theft, misuse, and unauthorized access, disclosure, alteration, and destruction in accordance with applicable law to protect the Personal Data.
If Client Users access the Services via a third party site or service, they may have additional or different sign-on protections via that third party site or service. Clients must prevent unauthorized access to Client Users’ account and Personal Data stored in the Services by selecting and protecting your password and/or other sign-on mechanism appropriately and limiting access to your computer or device and browser by signing off after you have finished accessing your account. We also recommend that our Clients take steps to protect against unauthorized access to any devices, networks and applications (including Third Party Applications) connected to, or integrated with, the Services.
We endeavor to protect the privacy of Client Users accounts and the Personal Data we store in the Services. Smarketing Cloud has achieved SOC 2 Type 2 compliance, we regularly engage third-party security experts to perform detailed penetration tests and we monitor and respond to security alerts and events. Unfortunately, we cannot guarantee that any safeguards or security measures will be sufficient to prevent a security problem.
Cross-Border Data Transfers
The Services are hosted and operated in the European Union (“EU”) through Smarketing Cloud and our sub-processors. In order to provide the Services, Smarketing Cloud or our sub-processors may transfer Personal Data outside of the country in which Customers and Client Users are located, including to the U.S. or to other jurisdictions that may not be subject to equivalent data protection laws. See the Client Agreements for additional information regarding how Smarketing Cloud safeguards Personal Data transferred across borders, including the additional protections we offer to safeguard the privacy rights of EU residents.
When transferring Personal Data across borders we take steps reasonably necessary to ensure that the information or data is subject to appropriate safeguards, is treated securely and is transferred under an approved data transfer mechanism pursuant to applicable data protection laws, including where applicable by entering into standard contractual clauses for the transfer of data as approved by the European Commission (as described in Article 46 of the General Data Protection Regulation).
We retain Personal Data that we process on behalf of our Clients so long as Smarketing Cloud’s contractual obligations remain with our Clients. We endeavor to delete Personal Data as soon as reasonably practicable, but in no event more than ninety (90) days following the termination of our contractual relationship with a Client unless a longer retention period is requested by a Client and agreed to by us. Client Users with administrative rights can use the Services to delete and permanently remove Customer’s Personal Data that is stored within the Services. We will permanently delete Customer’s Personal Data pursuant to such instructions promptly, but at least within ninety (90) days of such requests. For deletion of all other Personal Data and/or for deletion of your entire Smarketing Cloud instance at the end of your contractual relationship, please email support@Smarketing Cloud.com. Afterwards, where permitted by applicable law, we may retain some information in aggregated and/or de-identified form but not in a way that would identify Client or individuals personally.
For Client User Personal Data that is shared with us (1) in connection with responding to Client User inquiries, complaints, and requests for support of the Services (2) on order forms and as part of contracts (e.g. contact information on statements of work, etc.) and (3) for invoicing purposes, including Client financial information, we may retain such Personal Data beyond the end of our contractual obligations with our Clients, if doing so is necessary to comply with our legal obligations, resolve disputes or collect fees owed, or is otherwise permitted or required by applicable law, rule or regulation. Additionally, like most hosted service operators, we retain some of the device and usage data collected by the Services in log files beyond the end of our contractual obligations with our Clients, whether alone or in conjunction with other data. This log file data may be aggregated and/or de-identified data in a way that would not identify Client Users personally but certain log file data could be personally identifying to a Client User. To the extent we retain any such data beyond the end of our contractual obligations, we will continue to treat such data in accordance with this Product Privacy Statement.
Please see your Client Agreements for additional information regarding Smarketing Cloud’s data retention practices. In the event of any conflict with the above, such Client Agreements shall control.
Data Subject Rights under GDPR & CCPA
Clients are the data controllers/businesses of Customer’s Personal Data. As such, Clients are responsible for receiving and responding to requests from their Customers and other individuals to exercise any rights afforded to them under applicable data protection laws. If requested to remove Personal Data by a Client, we will respond within a reasonable timeframe and in accordance with the Client Agreements.
Because we may only access a Client’s data upon their instructions, if Smarketing Cloud receives a data subject request directly from a Customer using our data subject request form, Smarketing Cloud will inform the Customer to contact the Client directly about any request relating to his/her Personal Data such as access or deletion, and to the extent that the applicable data protection law does not prohibit Smarketing Cloud from doing so, we will refer their request to the Client they specify in their request. Smarketing Cloud will not further respond to a data subject request without Client’s prior consent and will assist Clients in responding to such requests as set forth in the Client Agreement.
Additional Information regarding Personal Data of Residents of California
Smarketing Cloud understands and will comply with the foregoing restrictions and the applicable requirements of the CCPA. For the purposes of the CCPA, Clients as the “Business” under the CCPA bear the primary responsibility for ensuring that their processing of Personal Data is compliant with relevant data protection law, including the CCPA. Smarketing Cloud collects, accesses, maintains, uses, processes, transfers and shares the Personal Data of our Client’s Customers and Client Users processed through the Services solely for the purpose of performing our obligations under the Client Agreements; Smarketing Cloud does not receive any Personal Data, as defined by the CCPA, from its Clients as consideration for the Services.
We do not “sell” Client Users’ or Customer’s Personal Data as currently defined under the CCPA, meaning that we also do not rent, disclose, release, transfer, make available or otherwise communicate that Personal Data to a third party for monetary or other valuable consideration. We may share aggregated and/or anonymized information regarding use of the Service(s)—which is not considered Personal Data under the CCPA—with third parties to help us develop and improve the Services and provide our Clients with more relevant content and service offerings as detailed in our Client Agreements.
Do Not Track
Client Users’ browsers may offer a “Do Not Track” or “DNT” option, which allows individuals to signal to operators of websites and web applications and services that such individual does not wish such operators to track certain online activities over time and/or across different websites. Because we consider certain tracking of Client User activity as necessary for the proper performance and functioning of our Services, our Services do not respond to, and we do not support, Do Not Track requests at this time. To find out more about “Do Not Track,” you can visit www.allaboutdnt.com.
Changes to this Product Privacy Statement
If we make material changes to this Product Privacy Statement, we will notify you in a manner that we believe will be reasonably likely to reach you (which may include email, a specific announcement on this page, our website, or on our blog).
If you are a Client and have any questions about this Product Privacy Statement, you can contact our compliance team at firstname.lastname@example.org