ITERABLE PRIVACY NOTICE
Last Updated: 07.14.23
1. PURPOSE OF THIS PRIVACY NOTICE
This Privacy Notice sets out how Iterable processes your personal data (or personal information or similar under other data legislation around the world – referred to only as “personal data” in this Privacy Notice) in connection with our business, including the provision of our Site and our Services.
In particular, this Privacy Notice explains our approach to any personal data that we might collect from you (i) when you use our Site or Services (ii) during any other interactions with us, or (iii) which we might otherwise process when providing Services to our Customers (including the personal data we collect, why we collected it and your rights in respect of our processing of your personal data).
This Privacy Notice is intended to assist you in making informed decisions when using the Site and our Services. Please take a moment to read and understand this Privacy Notice. It should be read in conjunction with our Terms of Service, Acceptable Usage Policy and Cookie Policy .
Finally, this Privacy Notice is intended to meet the requirements of the Regulation (EU) 2016/79 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (known as “GDPR”), as well as the “UK GDPR” (as defined in the UK Data Protection Act 2018). When we say GDPR, we mean both the EU and UK versions. Please refer to the Country Specific Provisions section for details of how your personal data will be processed in accordance with US regulations (including the California Consumer Privacy Act (“CCPA”), as amended by California Privacy Rights Act (“CPRA”)) where appropriate.
2. SCOPE OF THIS PRIVACY NOTICE
This Privacy Notice only applies to the use of your personal data obtained by us, whether from you directly or from a third party. It does not apply to personal data collected by third parties during your communications with those third parties or your use of their products or services (for example, where you follow links on our Site to third party websites over which we have no control).
The policy applies to all Services and products that Iterable (and, if applicable, its affiliates) offers.
This Privacy Notice is not intended to cover the processing of workplace personal data. Accordingly, if you are engaged as a worker for us, please see our Employee Privacy Notice which sets out further information about how we may process your personal data in connection with your employment and/or engagement. Further, Iterable has a separate privacy policy for job candidates. This is provided when a candidate submits their job application. If you have any queries in relation to the use of your candidate information, please contact HR@iterable.com
3. DEFINITIONS
Below are some defined terms used in this Privacy Policy:
“Customer” |
refers to an organisation who is a customer of Iterable; |
“End User” |
refers to our Customer’s end users; |
“Iterable Platform” |
means the business to business cross channel marketing platform that Iterable provides to its Customers; |
“Services” |
means the products and services that Iterable provides to its Customers, including the Iterable Platform; and |
“Site” |
refers to https://iterable.com. |
4. CHANGES TO THIS POLICY
We will update this Privacy Notice from time to time to reflect any changes or proposed changes to our use of your personal data, or to comply with changes in applicable law or regulatory requirements. We may notify you by email of any significant changes to this Privacy Notice, but we encourage you to review this Privacy Notice periodically to keep up to date on how we use your personal data. If we update this Privacy Notice, we will update the effective date at the top of the page.
5. ABOUT US
The Site and Services are made available by various companies in the Iterable group of companies (each a “Group Company”).
Where this Privacy Notice refers to “Iterable”, “we”, “us, “our”, this means one or more of the particular Group Companies that provide the particular Site or Services.
The processing activities of the following entities is covered by this Privacy Notice:
Location: United Kingdom
Iterable, Ltd. (company no: 12064168 is a company established under the laws of England and Wales with its registered office at 5 New Street Square, London, United Kingdom, EC4A 3TW) |
Responsible for:
|
Location: United States
Iterable, Inc. 201 Spear Street, Suite 1050 San Francisco, CA 94105 |
Responsible for:
|
Location: Ireland
Iterable, Ireland. 8th Floor, Block E, Iveagh Court, Harcourt Road, Dublin 2, Ireland |
Responsible for:
|
Location: Portugal
ITRBL, UNIPESSOAL Edificio Amoreiras Square Rua Carlos Alberto Da Mota 17 2 Floor, Lisbon Portugal |
Responsible for:
|
For the purpose of this Privacy Notice, unless we state otherwise, each Group Company shall be considered a data controller of your personal data in connection with the use cases identified in this Privacy Notice.
Please note that in many cases where we process personal data in relation to Services that we provide, we may carry out the activities referred to in this Privacy Notice in our capacity as a data processor (or similar under other data legislation around the world) acting on behalf of our Customers. In such situations, it would be our Customers who are the data controller, and any data subject should refer to the relevant Customer privacy notices for information about how their personal data is processed. We have made this distinction clear in the Privacy Notice.
6. HOW TO CONTACT US
If you have any questions about this Privacy Notice or want to exercise your rights as a data subject set out in this Privacy Notice, you can contact us using the following methods:
|
Privacy queries, send us an email at: privacy@iterable.com. |
Post |
Write to us at: EU representative Lionheart Squared LTD 2 Pembroke House Upper Pembroke Street 28-32 Dubin DO2 EK84 Republic of Ireland UK representative LionHeart Squared Limited 17 Glasshouse Studios Fryern Court Road Fordingbridge Hampshire SP6 IQX United Kingdom US office: Iterable, INC 201 Spear Street, Suite 1050 San Francisco, CA 94105, United States |
7. TYPE OF PERSONAL DATA WE COLLECT/PROCESS
When we talk about personal data we mean any information which relates to an identified or identifiable living individual. Individuals might be identified by reference to a name, an identification number, location data, an online identifier (such as an IP address) or to other factors that are specific to them, such as their physical appearance. Categories of personal data we may collect and process about you include:
Account data |
Data that is related to our Customer’s Account with Iterable, such as Identity Data and Contact Data and other information you may provide to us in your interactions with our staff. |
Identity Data |
First name; last name. |
Contact Data |
Address; billing address; business email address; telephone number; company name; job title; LinkedIn URL; social media handle; emergency contact (if required). |
Image Data |
Photos; video recordings. |
Financial Data |
Bank account details; partial payment card details. |
Transaction Data |
Details about payments made between you and us; details of services purchased from us. |
Profile Data |
Interests and preferences; contact preferences; whether you have participated in any promotions or competitions; feedback and survey responses; dietary preferences; the content of any messaging you send using any Enquiry Form or Chat function on the Site. |
Behavioural Data |
Data relating to your browsing activity or interaction with our emails, obtained through the use of cookies, pixel tags and other similar technologies; information about when your current or previous sessions started; details about any services you viewed or purchased through the Site; information you shared within the Iterable Community pages. |
Technical Data |
IP address; browser type and operating system; geolocation, to ensure we’re showing you the correct notices and information; any other unique numbers assigned to a device. |
Marketing and Communications Data |
Marketing preferences; service communication preferences. |
Publicly Available Data |
Information about articles (or similar) that you may have published; Information about your interests or affiliations. |
Iterable Platform Data |
Information about your usage and interaction with the Iterable Platform. |
Support Data |
Information, images and files you may share with our technical support staff when you interact with them and through support tickets. |
For more information about the personal data we collect please refer to section ‘HOW WE USE PERSONAL DATA’ below.
8. CUSTOMER END USER INFORMATION WE PROCESS AS A PROCESSOR
Iterable is a B2B company. We provide our Services so that Customers can enable the deployment of email, SMS, push notifications, in-app messages and web push messaging to End Users. In providing these Services, Iterable processes personal data relating to End Users (“End User Data”) that the Customer submits to the Services or instructs us to process on their behalf, in connection with the Services. Except where outlined in this Privacy Notice, the Customer is the controller of this End User Data. Iterable may generate aggregated statistics from End User Data. Please refer to the ‘Insight and analysis’ section below for further information.
9. HOW WE COLLECT PERSONAL DATA
We may collect and receive your personal data using different methods:
Personal data you provide to us |
You may give us your personal data directly, for example, when you obtain services via our Site, contact us with enquiries, complete forms on our Site, subscribe to receive our marketing communications or provide feedback to us. We may also collect your data if we have attended an event and obtained your permission to add you to our database. |
Personal data we collect using cookies and other similar technologies |
When you access and use our Site and the Iterable Platform, we will collect certain Behavioural Data and Technical Data. We collect this personal data by using cookies and other similar technologies (see the “Insight and analysis” section below). |
Personal data received from third parties |
We may receive personal data about you from third parties. Such third parties may include our Customers who have used our refer a friend facility on our Site, analytics providers, third parties that collect data from publicly available sources in order to assist us identifying prospective Customers and with delivering personalised communications to prospective Customers and third parties that provide technical services to us so that we can provide our Site and our Services. |
Publicly available personal data |
From time to time, we may collect personal data about you (Identity Data, Contact Data, or Publicly Available Data) that is contained in publicly available sources (including open source data sets or media reports) or that you or a third party may otherwise make publicly available (for example through speeches at events or publishing articles or other news stories or posts on social media platforms). |
10. WHO WE COLLECT PERSONAL DATA ABOUT
We collect and process personal data from the following people:
Site visitors |
We will collect and process your personal data in connection with your interaction with us and our Site |
People who contact us with enquiries |
If you contact us with an enquiry through our Site, submit a complaint or provide any feedback to us in our surveys and feedback forms, we will collect and process your personal data in connection with your interaction with us and our Site. |
Customer personnel |
We may collect and process your personal data in connection with the supply of Services to you and/or your organization. |
End Users |
We may collect and process your personal data in order to provide our Services to our Customers and for insight and analytics purposes. |
Partner/supplier personnel |
If you (or your organisation) supply products or services to us or otherwise partner with us, we may collect and process your personal data in connection with our receipt of those products and services and/or partnership. This may include personal data included in any email or telephone communications or recorded on any document relating to an order for the products or services, such as your Contact Data. |
Visitors to our offices |
If you attend one of our physical offices or other locations, we may process personal data that you volunteer in connection with your visit and any enquiries you make. For example, you may volunteer personal data when signing in as a guest, or when you register for and access our guest Wi-Fi network at our premises. CCTV footage may also be collected for security purposes. |
Event attendees |
If you attend one of our events (conferences, webinars, meetings), we will process personal data about you in connection with your attendance at the event. For example, we may ask you to complete a registration or feedback form, or other documents relating to the event. |
11. HOW WE USE PERSONAL DATA
A: OPERATION OF THE SITE AND PROVISION OF SERVICES
I. Operation of the Site
If you browse our Site |
When you browse our Site, we collect and process Behavioural Data and Technical Data to help us understand how you are using and navigating our Site. We do this so that we can better understand which parts of our Site are more or less popular and improve the structure and navigation of our Site. Our legal basis for processing It is necessary for us to use your personal data to perform our obligations in accordance with any contract that we may have with you for the Services, or it is in our legitimate interest to use personal data in such a way to ensure that we provide access to our Site in a secure and effective way and so that we can make improvements to our Site. |
Insight and analysis (Site) |
We and our third-party partners use cookies, web beacons, pixel tags and other similar technologies (which we generically refer to as “Cookies”) to collect data from the devices that you use to access our Site and any emails that you receive from us. The data that is collected includes Behavioural Data and Technical Data, and certain Profile Data. Please see our Cookie Policy for further information, including details of our third-party partners. We and our third-party partners use this data to analyse how you use our Site and the effectiveness of our Site including:
In some of our email messages, we use a “click-through URL” linked to certain websites administered by us or on our behalf. We may track click-through data to assist in determining interest in particular topics and measure the effectiveness of these communications. Our legal basis for processing Where your data is collected through the use of non-essential cookies, we rely on consent to collect your personal data and for the onward processing purpose. Please see our Cookie Policy for further information, including details of our third-party partners. In certain circumstances, we may rely on another lawful basis when we use your personal data collected via the use of cookies. For example, where we use personal data collected through the use of analytics cookies to analyse how you use our Site, it is in our legitimate interest to use your personal data in such a way to improve our Site and Services. |
If you link to social media sites and interact with our social media pages |
If you click on one of the social media links on our Site or otherwise interact with our social media pages such as on Twitter, Linkedin or Instagram (including interacting with any ‘like’ or similar embedded features on our Site or social media accounts), we and the relevant social media platform may receive information relating to such interaction and may share your personal data in connection with this purpose, such as certain Behavioural Data and Technical Data. For more information about how we use this personal data, please see the “Site insight and analysis.” section above. The relevant social media platform may also be a controller in respect of the personal data that is collected via your use of our social media pages and may use that personal data for additional purposes. For details of how the relevant social media platform uses your personal data, please see the privacy notice of the relevant social media platform. Our legal basis for processing It is in our legitimate interest to use personal data in the ways described above to ensure that we provide the Site in an effective way and to promote our Site via social media. |
If you have a general question or need help with any issue concerning our Site or our Services |
There are various ways in which you are able to contact us (see the “How to contact us” section above). In particular, our Site features a Chatbot, which invites you to submit general enquiries about our Services via a chat function. From time to time, you may also be able to submit specific enquiries on other pages of our Site, including in secure account areas. When you make an enquiry, we will collect and process your Identity Data, Contact Data and, if applicable, certain Profile Data and Transaction Data, as well as any other personal data you volunteer that is relevant to your enquiry. If you have a technical issue concerning our Site or Services, we may also collect and process Behavioural Data and Technical Data to help us diagnose the technical issues you are experiencing and to help us resolve them in an efficient way. We use this information to manage and respond to your enquiry. We may also record (including voice recordings of telephone conversations) and use the information referred to above to train our personnel so that they can effectively deal with enquiries. Our legal basis for processing It is in our legitimate interest to use your personal data in the ways described above to ensure that we are able to help you with your enquiry, provide a good standard of service and improve our customer services. |
II. Provision of our Services (Iterable Platform)
If you register and access an account on the Iterable Platform |
You will be required to register an account with us in order to gain access to the Iterable Platform. Account applicants will need to complete the registration form, providing all required Identity Data, Contact Data, Registration Data. We will use this data in order to process your registration. Once the account is registered, we will process your Account Data, Registration Data and Profile Data to identify you when you log in to your account and access secure areas of the Iterable Platform. Our legal basis for processing It is necessary for us to use your personal data to perform our obligations in accordance with any contract that we may have with our Customer, or it is in our legitimate interest to use personal data in such a way to ensure that we provide access to the Iterable Platform in a secure and effective way and so that we can make improvements to the Iterable Platform. |
End User data insight and analysis |
We may, acting on our own behalf and on behalf of our Customers, collect data about End Users in connection with the provision of our Services to carry out insight and analysis on an anonymised and/or aggregate basis so that we can improve our Services (and customise content on our Services) and better understand how our Services are used by End Users. The data that is collected includes Behavioural Data and Technical Data, Iterable Platform Data and certain Profile Data. Please see our Cookie Policy for further information, including details of our third-party partners. In some of our email messages, on behalf of our Customer, we use a “click-through URL” linked to certain websites administered by us or on our Customers behalf. We may track click-through data to assist our Customers in determining End User’s interest in particular topics and measure the effectiveness of these communications. We will place the cookies but the Customer will be the controller of this data. Our legal basis for processing To the extent the above involves personal data, it is in our legitimate interests (or those of our Customer) to process personal data in this way to enable us to provide and improve our Services. Where your data is collected through the use of non-essential cookies, we (or our Customer) rely on consent to collect your personal data and for the onward processing purpose. Please note that often such services will relate to anonymous data sets (aggregated data sets, statistical data sets and similar) and are used for high-level market analytics or making business decisions (amongst other things). When we do this, we and our Customers are not processing personal data. |
Systems monitoring |
We will process End User and Customer personnel data in connection with the provision of our Services in order to:
This will involve processing Account Data, Technical Data, Behavioural Data, Iterable Platform Data and certain Profile Data. Our legal basis for processing To the extent the above involves personal data, it is in our legitimate interests (or those of our Customer) to process personal data in this way to enable us to provide, protect and improve our Services. |
Iterable Community |
Where you have agreed to participate in the Iterable Community and comply with the Iterable Community guidelines, we may process your Identity Data, Contact Data, Registration Data, Profile Data, Account Data, Technical Data and Behavioural Data for the purposes of enabling participation and peer to peer support on best practices when using the Iterable Platform. If you submit any content to the Iterable Community page we may process any personal data comprised within that content for the purposes of providing the Iterable Community page, to improve our Site and Services and promote our Site and Services. Our legal basis for processing Where you have agreed to participate in the Iterable Community, we will rely on our legitimate interests to process your personal data in order to provide the Iterable Community, to improve and promote our Site and Services. |
III. Onboarding and technical support
If you procure our Services |
We collect and maintain personal data that Customer personnel submit to us for the purpose of supplying our Services that a Customer has requested from us. We may collect and process your personal data whether you are interacting with us on your own behalf or on behalf of any organisation you represent. The personal data we process may include your Identity Data, Contact Data, Registration Data, Profile Data, Financial Data and Transaction Data (where applicable). We process this information so that we can fulfil the supply of Services, maintain our user databases and to keep a record of how our Services are being used. Our legal basis for processing It is necessary for us to use your personal data to perform our obligations in accordance with any contract that we may have with the Customer for the Services, or it is in our legitimate interest or a third party’s legitimate interest to use personal data in such a way to ensure that we provide our Services in an effective, safe and efficient way. |
Provision of support Services to our Customer |
Where we have engaged you as a Customer, we will process personal data of Customer personnel in order to provide you with the agreed upon Service. This will involve processing Account Data, Technical Data and Behavioural Data for the following purposes:
Our legal basis for processing It is necessary for us to use personal data in this way to perform our obligations in accordance with any contract that we may have with you where you or the organisation you represent is a Customer, or it is in our legitimate interest or a third party’s legitimate interest to use personal data in such a way to ensure that our Services are provided in an effective way. |
B: CUSTOMER RELATIONS
I. Customer surveys and feedback
If you complete our surveys or provide feedback on your experience of our Site and/or our Services |
From time to time, we will invite you to provide feedback about us, our Site and Services in the form of online surveys. We will collect and process your Identity Data, Contact Data and, if applicable, certain Profile Data and Transaction Data, as well as any other personal data you choose to volunteer in your survey response or other feedback. We use this information to help us to monitor and improve our Site and Services, to assist with the selection of future product and service lines and to train our personnel. You can also voluntarily provide feedback by email or via our Chatbot on our Site. Our legal basis for processing It is in our legitimate interest to use the personal data provided by you so that we can improve our Site and our Products and Services and provide them in an effective way. |
V. Marketing to our Customers
Marketing |
We may use your Identity Data, Contact Data and Marketing and Communications Data to send you (or the organisation you represent) marketing communications by email or via phone. Our marketing will include press releases and information about us. We will also provide you with personalised communications which we think will be of interest to you. Our legal basis for processing Where we are sending you personalised communications and you are a prospect, it is in our legitimate interest to use your personal data in this way to ensure the promotion of our Services is tailored and/or appealing to you and/or the organisation you work for. Please note that we will only send you marketing through newsletters, promotions and events with your consent. |
If we carry out any online personalised advertising |
We and our third party partners may use your Profile Data, Behavioural Data and Technical Data and other data that is collected through your interactions with third party websites and services to provide you with, and analyse the effectiveness of, personalised ads when you visit other websites and/or use other services (including the social media and other platforms described in the “If we advertise to you on social media and other platforms” section below). By “personalised ads”, we mean advertisements for products and services that you have shown an interest in when you have used our Site or which you otherwise might be interested in based on your browsing habits, although our third- party partners may use the data that is collected to show personalised ads for products and services offered by third parties. You can exercise control over how your personal information is used for advertising purposes by visiting http://www.youronlinechoices.eu/ and https://optout.aboutads.info/. Our legal basis for processing Please see the “Insight and analysis – Site” section above to learn about the legal basis that we rely on to collect data via the use of Cookies. Where we use your personal data to display online personal advertising to you, we rely on the consent that you have provided in respect of the collection of such data, or it is otherwise in our legitimate interests to promote our Site and Services to you. Our third party partners may rely on a different lawful basis in respect of their use of your personal data. Please read the privacy policy of the relevant third-party provider, as set out in our Cookie Policy and/or our Cookie preference centre. |
If we advertise to you on social media and other platforms |
We share your email address (usually in an encrypted or ‘hashed’ form) with third-party providers of social media platforms and other services, such as Facebook and LinkedIn and other similar platforms (“Social Platforms”), so that the third party providers can try to “match” your data with the data of their registered users of their Social Platforms. Where there is a successful match, we will display our advertising to you when you use the relevant Social Platform (e.g. on your LinkedIn newsfeed). This is known as “custom audience” advertising, because we “customise” the audience that we want to reach on the relevant service. Some of the advertising that you see may be personalised to you. The data that we use to personalise our advertising, such as your Profile Data and Behavioural Data, will not be provided to the third-party providers of the Social Platforms. Please see the “Insight and analysis -Site” section above to learn more about how we personalise advertising to you. This activity is also subject to the privacy choices you have elected to make on such Social Platforms. Our legal basis for processing We will only share your personal data with the third-party providers of the Social Platforms, so that we can advertise our Products and Services to you when you use those Platforms, where you have provided your consent. |
If we advertise to other people who share similar interests and characteristics to you |
We will provide your personal data to third-party providers of other services as described in the “If we advertise to you on social media and other platforms” and the “Insight and analysis – Site” sections. If you are a user of those third-party services, we may ask the third-party providers of those services to find other registered users of their services who share similar interests and characteristics to you, which will be based on information that the third party holds about you and its other registered users. This is known as “lookalike” audience advertising because we are trying to show our advertising to people who “look like” you. Please note that such activity is also subject to the privacy choices you have elected to make on such third-party services. Our legal basis for processing It is in our legitimate interests to share your personal data with the third-party providers of other services so that we can advertise our Services to other individuals that use those services and share similar interests and characteristics with you, although where this activity is undertaken through the use of Cookies please see the “Insight, and analysis – Site” section above) to learn about the legal basis that we rely on. You can opt-out of our sharing of your personal information with the third-party providers by exercising your rights as a data subject as set out below. |
If you contribute to our marketing content |
If you write an article or blog for us or take part in a video, or contribute in any other way to publications we send to our Customers and/or publish on our Site or on our social media, we may use your personal data (such as your Identity Data and/or Contact Details) to credit you for your contribution. If you provide photographs or other images in support of your article or blog, we may publish one or more of those images alongside your article or blog. If you take part in a video, we may use your image in the video. We use this personal data for the purposes of promoting our Site and our Services. We may also allow third parties to use the articles, blogs or videos that you contribute, or the content that you provide. If the use of such content would involve the use of your personal data, we may use your Contact Details to ask your permission to use the relevant content, unless we are satisfied that we have a lawful right to use the content without your permission. Our legal basis for processing Where we use your content in connection with Services that we provide, it is in our legitimate interest to use any personal data that you provide to us to ensure that we provide the relevant Services in an effective way and promote our Services. Where we permit a third party to use your personal data contained within content that you submit, we will do so without your permission if we are satisfied that it is within our or the third party’s legitimate interest to use your personal data, including to promote our Services or products and/or services offered by the third party. If it is not within our legitimate interest, we will contact you to ask your permission, in which case our processing of such personal data will be based on your consent. |
C: BUSINESS ADMINISTRATION, FINANCIAL AND LEGAL
Receipt of services |
If we have engaged an organisation to provide us or our Customer with services (for example, IT support or financial advice), we will collect and process your personal data (including Contact and Identity Data) if you are a contact within the relevant organisation in order to manage our relationship or our clients with the organization, to receive services from the organisation and, where relevant, to provide our services to others including our clients. Our legal basis for processing It is necessary for us to use personal data in this way to perform our obligations in accordance with any contract that we may have with the organisation, or it is in our legitimate interest to use personal data in such a way to ensure that we have an effective working relationship with the organisation and are able to provide our services to others in an effective way. Where we do this on behalf of our clients as a data processor, we do not require a legal basis for such processing. |
Visiting our offices |
If an individual visits any of our offices we may collect personal data including Identity or Contact Data as part of our sign in process. We may also capture their image on our surveillance camera or CCTV. If an individual registers as a guest user for free Wi-Fi access at any of our premises, we may collect personal data including Identity and Contact Data as part of the registration process. We may also process Behavioural and Technical Data in connection with any use of this free Wi-Fi service for monitoring and record-keeping purposes, including to identify the source of service requests, optimise and maintain performance of the Wi-Fi service, and investigate and prevent system abuse. Our legal basis for processing It is in our legitimate interests to process personal data in this way for security reasons. Where we process personal data in connection with providing access to our free Wi-Fi service, it is in our legitimate interests to process personal data in this way to provide the service. Where we monitor use of our free Wi-Fi service to ensure proper use of the system, we process personal data for monitoring and record-keeping purposes based on guest user consent. |
Business administration, finance, and legal compliance |
We may use an individual’s personal data (including Identity Data, Contact Data, Financial Data, Transaction Data, Publicly Available Data) for the following business administration and legal compliance purposes:
Our legal basis for processing Where we use personal data in connection with a business transition, to enforce our legal rights or to protect the rights of third parties, it is in our legitimate interest to do so. For all other purposes described in this section, we will rely on our obligation to comply with law (including any court order) to process such personal data. We will not process any special (or sensitive) categories of personal data or personal data relating to criminal convictions or offences except where we are able to do so under applicable legislation or with the individual’s explicit consent. |
12. IF YOU FAIL TO PROVIDE YOUR PERSONAL DATA
Where we are required by law to collect your personal data, or we need to collect your personal data under the terms of a contract we have with you, and you fail to provide that personal data when we request it, we may not be able to perform the contract we have or are trying to enter into with you. This may apply where you do not provide the personal data we need in order to provide the Services you have requested from us or to process an application for employment with us. In this case, we may have to cancel your application or the provision of the relevant Services to you, in which case we will notify you.
13. SHARING YOUR PERSONAL DATA
We only share personal data with others when we are legally permitted to do so. When we share personal data with others, we put contractual arrangements and security mechanisms in place to protect the personal data shared and to comply with our data protection, confidentiality and security standards and obligations.
When processing your personal data, we may need to share it with third parties (including other Group Companies), as set out in the table below. This list is non-exhaustive and there may be circumstances where we need to share personal data with other third parties.
Iterable Group Companies |
We may share information with our Group Companies in order to work on your Customer account, provide technical support and to support our B2B marketing activities. |
Our Customers |
We may share personal data with our Customers for the purposes of providing them with Services. |
Our event coordinators/ third party venues |
We may share personal data with various event suppliers and/or partners and venues in order to arrange our events. |
Third-party IT suppliers |
We may share personal data with third parties who support us in providing our Site and help provide, run, and manage our internal IT systems. Such third parties may also include, for example, providers of information technology, cloud-based software-as-a-service providers, identity management, website design, hosting and management, data analysis, data back-up, security, and storage services. The servers powering and facilitating that cloud infrastructure are located in secure data centres around the world, and personal data may be stored in any one of them. We may also share your personal data with third-party service providers to assist us with insight analytics. These providers are described in our Cookie Policy. |
Payment providers and banks |
We may share personal data with third parties who assist us with our invoicing and/or making/receiving payments. |
Advertising partners |
We share personal data with third party advertising partners, including those set out in our Cookie Policy and/or our Cookie preference centre when you use our Site. This data is used to provide you with, and measure the effectiveness of, online personalised advertising and for other advertising related activities. |
Third-party post/email marketing and CRM specialists |
We may share personal data with specialist suppliers who assist us in managing our marketing database and sending out email marketing communications. |
Partners |
We operate a partner ecosystem. When a Customer signs up with a partner it must agree to partner the terms of service and it will obtain the appropriate consents in order for us to share End User data with them. |
Auditors, lawyers, accountants and other professional advisers |
We may share personal data with professional services firms who advise and assist us in relation to the lawful and effective management of our organisation and in relation to any disputes we may become involved in. |
Law enforcement or other government and regulatory agencies and bodies |
We may share personal data with law enforcement or other government and regulatory agencies or other third parties as required by, and in accordance with, applicable law or regulation. |
Other third parties |
Occasionally, we may receive requests from third parties with authority to obtain disclosure of personal data, such as to check that we are complying with applicable law and regulation, to investigate an alleged crime, or to establish, exercise or defend legal rights. We will only fulfil requests for personal data where we are permitted to do so in accordance with applicable law or regulation. |
14. SUBPROCESSORS
Iterable relies on other third party processors to process personal data of Site visitors, Customer personnel and End Users. Our subprocessor list can be accessed at the following link .
Iterable enters into contractual agreements with each sub processor, who can only process data in accordance with the relevant agreement.
15. DATA TRANSFERS OUTSIDE THE EEA AND UK
We may transmit personal data outside the UK and the EEA to certain categories of third parties (as listed above in SHARING YOUR PERSONAL DATA) and to our Group Companies, more specifically to our headquarters in San Francisco (“US”).
Non-EEA countries do not have the same data protection laws as the UK and the EEA. In particular, non-EEA countries may not provide the same degree of protection for your personal data. However, when transferring your personal data outside the UK or the EEA, we will ensure that, where required by applicable law, at least one of the following safeguards is implemented: (1) we will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the UK Government or the European Commission; or (2) where we use certain service providers, we may use specific contracts approved by the UK Government or the European Commission referred to as the “Standard Contractual Clauses” or “SCCs” which give personal data the same protection it has in the UK and EU.
To find out more about the SCCs we use, please see: Standard contractual clauses for international transfers | European Commission (europa.eu) or please email us at privacy@iterable.com
APEC PRIVACY RECOGNITION FOR PROCESSORS AND CROSS BORDER PRIVACY RULES
Iterable has obtained APEC Privacy Recognition for Processors (“PRP”) certification and the APEC Cross Border Privacy Rules (“CBPR”) and shall process personal data in accordance with this privacy notice and the scope of its certification. The CBPR Notice can be accessed here and the PRP notice can be accessed here
EU-US DATA PRIVACY FRAMEWORK, SWISS-US DATA PRIVACY FRAMEWORK AND THE UK EXTENSION TO THE EU-U.S DATA PRIVACY FRAMEWORK
Iterable complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Iterable has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) and the the UK Extension to the EU-U.S. DPF, with regard to the processing of personal data received from the European Union and the United Kingdom.
Iterable has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/
Iterable is subject to the investigatory and enforcement powers of the US Federal Trade Commission (FTC). If you have an unresolved privacy complaint, you may also refer this to your data protection authority and we will work with them to resolve your concern. In certain circumstances, the Data Privacy Framework provides the right to invoke binding arbitration to resolve complaints which were unable to be resolved by other means, this is described in on the Data Privacy Framework Website.
If you are an EU, UK, or Swiss Individual, where we transfer your personal data to third party services providers who perform services for us or on our behalf, we are responsible for the processing of that data by them and will remain liable if they process your personal data in a manner inconsistent with the EU-GDPR, UK-GDPR, or Swiss-FADP, as applicable, or the DPF Principles referred to in this section, unless we prove that we are not responsible for the event giving rise to the damage.
In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, Iterable commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU, UK, and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF should first contact Iterable at privacy@iterable.com
In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, Iterable commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs), the UK Information Commissioner’s Office (ICO), and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF.
If you have any Data Privacy Framework questions, concerns or complaints please contact us on privacy@iterable.com
16. OBTAINING YOUR CONSENT
Where our use of your personal data requires your consent, you can provide such consent:
- at the time that we collect your personal data following the instructions provided; or
- by informing us by e-mail, post or phone using the contact details set out in this Privacy Notice.
Please note that if you specifically consent to additional uses of your personal data, we may use your personal data in a manner consistent with that consent.
17. CONFIDENTIALITY AND SECURITY OF YOUR PERSONAL DATA
We are committed to keeping the personal data you provide to us secure and we have implemented information security policies, rules and technical measures to protect the personal data under our control from unauthorised access, improper use or disclosure, unauthorised modification and unlawful destruction or accidental loss. In addition, all our employees and data processors (i.e. those who process your personal data on our behalf) are obliged to respect the confidentiality of the personal data of all users of our Site and those who purchase our Services.
Iterable’s security design and requirements are guided by industry defined best practices, including NIST and ISO 27001. Iterable is both ISO 27001 and SOC 2 Type II certified. Internal Information Security policies and procedures, control framework, and risk matrix are defined and regularly reviewed to monitor coverage and effectiveness.
Please be advised that the security of information transmitted through the internet cannot be guaranteed. Protecting your password and authentication methods is your responsibility.
Your Iterable account information is protected by a password for your privacy and security. Iterable uses Transport Layer Security (“TLS”) to encrypt all data communication over Hypertext Transfer Protocol (“HTTP”), otherwise known as HTTP Secure (“HTTPS”).
18. YOUR DATA PROTECTION RIGHTS
You have certain rights in relation to the personal data we hold about you, as described in the table below. Iterable does not restrict your rights according to the region you are located.
Please note, these rights are not absolute and there may be situations where we are unable to fulfil your request e.g. if it’s incompatible with our financial and legal obligations.
Your right of access |
If you ask us, we will confirm whether we are processing your personal data and, if so, provide you with a copy of that personal data (along with certain other details). If you require additional copies, we may charge a reasonable fee for producing those additional copies. |
Your right to rectification |
If the personal data we hold about you is inaccurate or incomplete, you are entitled to have it rectified. If we have shared your personal data with others, we’ll let them know about the rectification where possible. If you ask us, where possible and lawful to do so, we will also tell you who we’ve shared your personal data with so that you can contact them. |
Your right to erasure |
You can ask us to delete or remove your personal data in some circumstances, such as where we no longer need it or where you withdraw your consent (where applicable). If we have shared your personal data with others, we will let them know about the erasure where possible. If you ask us, where it is possible and lawful for us to do so, we will also tell you who we have shared your personal data with so that you can contact them directly. |
Your right to restrict processing |
You can ask us to “block” or suppress the processing of your personal data in certain circumstances such as where you contest the accuracy of that personal data or you object to us processing it for a particular purpose. This may not mean that we will stop storing your personal data but, where we do keep it, we will tell you if we remove any restriction that we have placed on your personal data to stop us processing it further. If we’ve shared your personal data with others, we’ll let them know about the restriction where it is possible for us to do so. If you ask us, where it is possible and lawful for us to do so, we’ll also tell you who we’ve shared your personal data with so that you can contact them directly. |
Your right to data portability |
You have the right, in certain circumstances, to obtain personal data you have provided to us (in a structured, commonly used and machine-readable format) and to reuse it elsewhere or to ask us to transfer it to your chosen third party. |
Your right to object |
You can ask us to stop processing your personal data, and we will do so, if we are: (i) relying on our own or someone else’s legitimate interest to process your personal data, except if we can demonstrate compelling legal grounds for the processing; or (ii) processing your personal data for direct marketing purposes. |
Your rights in relation to automated decision-making and profiling |
You have the right not to be subject to a decision when it is based on automatic processing, including profiling, if it produces a legal effect or similarly significantly affects you, unless such profiling is necessary for the entering into, or the performance of, a contract between you and us. |
Your right to withdraw consent |
If we rely on your consent (or explicit consent) as our legal basis for processing your personal data, you have the right to withdraw that consent at any time. You can exercise your right of withdrawal by contacting us using our contact details in the “How to contact us” section above or by using any other opt-out mechanism we may provide, such as an unsubscribe link in an email. |
Your right to lodge a complaint with the supervisory authority |
If you have a concern about any aspect of our privacy practices, including the way we have handled your personal data, please contact us using the contact details provided in the “How to contact us” section above. You can also report any issues or concerns to a national supervisory authority in the Member State of your residence or the place of the alleged infringement. You can find a list of contact details for all EU supervisory authorities at http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm. As we are incorporated in the United Kingdom, our regulatory authority is the Information Commissioner’s Office (“ICO”). Contact details for the ICO can be found on its website at https://ico.org.uk. |
How do we process privacy requests?
Privacy requests are processed by Iterable using this link: https://preferences.iterable.com/privacy. Please click on the link and begin the process. Iterable will take reasonable steps to verify the identity of the requestor and, we may ask you to provide proof of identity in order to respond to privacy requests in accordance with GDPR, CCPA, CPRA and any other applicable privacy legislation. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. In order to verify your identity, we may need to gather more personal data from you than we currently have.
In some circumstances we are required to hold onto a copy of your personal information for business or legal purposes, this can include billing, technical support, law enforcement or litigation. When we no longer need this information we will delete the information if we are legally able to.
If you are a Customer and want further information as to how you can exercise your data rights an End User please talk to your CSM or refer to the support documentation.
19. OPT OUT AND UNWANTED COMMUNICATIONS
To opt-out of any future promotional or marketing communications or any other commercial communications from us, you should send a request to us at the contact information in the section entitled “how to contact us” above.
20. THIRD PARTY LINKS AND SERVICES
This Privacy Notice only applies to personal data processed by us through your use of our Site and/or in connection with our business operations. However, from time to time, our Site may contain links to third-party websites and services. We have no control over these websites and services and this Privacy Notice does not apply to your interaction with the relevant third parties.
When you use a link to go from our Site to another website (even if you don’t leave our Site) or you request a service from a third party, your browsing and interactions on any other websites, or your dealings with any other third-party service provider, is subject to that website’s or third-party service provider’s own rules and policies. For example, our Site invites you to connect with us on social media platforms such as Facebook and LinkedIn. When you click on the links we provide to such third-party platforms, you will be transferred from our Site to the relevant third-party platform and the privacy notice (and other terms and conditions) of that platform will apply to you.
We do not monitor, control or endorse the privacy practices of any third parties. We encourage you to become familiar with the privacy practices of every website you visit or third-party service provider that you use in connection with your interaction with us and to contact them if you have any questions about their respective privacy notices and practices.
21. HOW LONG DO WE KEEP YOUR PERSONAL DATA?
We retain personal data only for as long as is necessary for the purposes described in this Privacy Notice, after which it is deleted from our systems.
If any personal data is only useful for a short period (e.g. for a specific event or marketing campaign), we will delete it at the end of that period.
Service Data: We will keep certain Customer personnel personal data and other personal data related to the provision of a Service for as long as we have an active contract with the Customer. We are entitled to retain such personal data if required by EU/UK law and often data will be kept for audit purposes. Iterable must retain certain financial and corporate data under national regulations and laws. This can include invoices, tax information, banking information. This data is held for a minimum of 7 years.
End User Data: Iterable will act on the instructions of the Customer and contractual obligations when deleting End User personal data at the conclusion of a contract.
Sales and Marketing Data: If you are a Customer we will retain your data for the duration of your contract with us, unless you have unsubscribed.
Prospective customers: We only keep data obtained from our third party service providers for B2B prospecting for 24 months from the last interaction you have had with us. If you wish to exercise any of your rights regarding this data please refer to the Your Data Protection Rights section.
If you have opted out of receiving marketing communications from us, we will need to retain certain personal data on a suppression list so that we know not to send you further marketing communications in the future.
22. PERSONAL DATA OF MINORS
Our Site is not intended for use by, or targeted at, minors (individuals under the age of 16) and we do not knowingly collect personal data of minors. If you are under 16, you cannot use the Site.
If we discover that we are holding the personal data of a minor, we will delete that information as soon as possible. Please contact us if you have reason to believe that a minor may have submitted personal data to us (see the “How to contact us” section above).
23. COUNTRY SPECIFIC PROVISIONS
Iterable offers the ability for all individuals to control their data under the “Your Data Protection Rights” section; we do not make this dependent on your region.
UNITED STATES
California Residents
If you are a resident of California, you have additional rights under the CCPA.
CCPA secures the following privacy rights for California consumers:
- The right to know about the personal information a business collects about them
- The right to delete personal information collected from them (with some exceptions)
- The right to opt-out of the sale of their personal information
- The right to non-discrimination for exercising their CCPA rights
CCPA is known as CPRA effective January 1, 2023 updating CCPA legislation, making it easier to understand and will provide employees and contractors (HR Individuals) rights under CCPA.
New rights under CPRA include:
- The right to correct
- The right to limit use of sensitive information
- The right to access information about automated decision making
- The right to opt-out of automated decision making
Iterable does not sell your personal information or share information for cross context behavioural advertising. You can exercise your rights at this link.
Archived Privacy Policy – 07.13.2023