Privacy Policy

Information that StructuredWeb Collects

Registration Information. StructuredWeb collects personal information when you register for an account with the Platform, such as your name, address, phone number, and email address.

Using the Service. We also collect information when you use certain StructuredWeb products or services and when you visit StructuredWeb pages.

Platform Users. Through the use of the Platform, we might collect information about you and your users and track how you use the Platform, the tools you use, and the marketing materials you access. We and the vendor for whom you are using the Platform will be able to track how often you log in to the Platform, which marketing assets you use, and measure how many leads and opportunities you generate from any marketing activities you launch from the Platform.

Platform Users’ Customer Data. As a user of the Platform, you or your employees might choose to upload your customer mailing list to our Platform. You might also use our landing pages to capture new leads from email or other digital marketing activities (with your customer mailing list, this information is “Customer Data”). All of this Customer Data is yours and, except as set forth in this Privacy Policy, we do not grant anyone else rights to it.

Customer Support. We may collect information about you through your communications with our customer-support team.

Cookies, Automatic Data Collection, and Related Technologies. The Service collects and stores information that is generated automatically as you use it, including your preferences and anonymous usage statistics.

When you visit the Service, we and our third-party service providers receive and record information on our server logs from your browser, including your IP address, and from cookies and similar technology. Our service providers may collect information about your online activities over time and across different online services. Cookies are small text files placed on your computer browser when you visit a website. Most browsers allow you to block and delete cookies. However, if you do that, then the Service may not work properly.

By using the Service, you are authorizing us to gather, parse, and retain data related to the provision of the Service.

How We Use Your Information

Internal and Service-Related Usage. We use information, including unique identifiers and your location for internal and Service-related purposes, such as data analytics, and may share this information with service providers to allow us to provide, maintain, and improve the Service.

Communications. We may send email to the email address you provide to us to verify your account and for informational and operational purposes, such as account management, customer service, or system maintenance.

Aggregate Data. We may anonymize and aggregate data collected through the Service and use it for any purpose. This includes compiling reports to analyze marketing assets performance and the aggregate results of their use. We use this information to continue to improve the Service, make recommendations to our customers for new tools and content you might want to use, and provide reports to the Marketing Program Provider so it can also understand the Platform or content usage to better serve you.

Who can use Customer Data. All of your Customer Data is considered your private and confidential information. Your vendor, unless otherwise agreed upon, is granted access to your Customer Data only with your express permission and solely to help you with your marketing initiatives, lead capture, and conversion of opportunities to sales.

What we do with Customer Data. We access and use your Customer Data to help you with your own marketing activities and to benefit your own business. At your request, we will help you to upload your mailing list or configure marketing programs in your account. We might run automatic programs to organize your data and enhance the information you have about your prospect to help you with your marketing activities. From time to time you or your employees might contact our customer support team to get help with the use of the Platform. In such a situation, we might need to access your account, diagnose the problem, and help you resolve it. Again, such access will be limited and will be done to help you with your own marketing initiatives on the Platform.

Marketing Concierge Services. Your Marketing Program Provider (IBM) may offer you added support service to help you use the platform, create marketing plans, upload your mailing list, activate marketing activities on your behalf, and help you review and analyze marketing reports. To provide you with such services, the Marketing Concierge Agent (StructuredWeb) will have access to your account, marketing activities, mailing list, leads opportunities, and reports. Such access is limited only to help you use the platform, and the Marketing Concierge Agent will not use or share any information from your account for any other purpose.

Disclosing Your Information

We Use Vendors and Service Providers. We may share any information that we receive through the Service with vendors and service providers retained in connection with the provision of the Service.

As Required By Law and Similar Disclosures. We may access, preserve, and disclose your personal information, other account information, and content if we believe doing so is required or appropriate to comply with law enforcement requests and legal processes, such as a court order, government request, or subpoena.

Consent. We may also disclose your personal information with your permission.

International Users

We are based in the United States and, regardless of where you use the Service or otherwise provide information to us, the information may be transferred to and maintained on servers located in the U.S. The U.S. may not have the same data protection framework as the country from which you may be using the Service. By using the Service, you consent to the transfer of information to countries outside your country of residence, including the U.S.

Rights Under GDPR: If you are a resident of the European Union, you have the right to access personal data we hold about you and to ask that your personal data be corrected, updated, or deleted. If you would like to exercise this right, please contact us at privacy@structuredweb.com.

Rights Under CCPA: If you are a resident of California, you have the right to request what information we collect, use, disclose, and sell. You also have the right to access and delete your personal data. To exercise these rights, please contact us at privacy@structuredweb.com.

GDPR and CCPA Disclosure: Under GDPR and CCPA, we may disclose your personal information only when we have a legitimate interest, contractual necessity, or your explicit consent. We will never sell your data to third parties without your explicit consent.

GDPR Notice: The transfer of personal data to the United States is based on the adequacy decisions of the European Commission, or based on appropriate safeguards such as the standard data protection clauses adopted or approved by the European Commission. You may obtain a copy of these measures by contacting us at privacy@structuredweb.com.

Data Subject Rights Policy

Purpose
StructuredWeb has established a formal policy and supporting procedures concerning the Rights of Data Subjects. This policy will be evaluated on an annual basis for ensuring its adequacy and relevance regarding StructuredWeb’s needs and goals and commitments made to customers of StructuredWeb.

Policy
Where StructuredWeb processes personal data about individuals (including personal data of customers, contacts, employees, other workers and others), certain data protection rights are provided under data protection laws. An individual may exercise these rights by making a request to StructuredWeb (a “Data Rights Request”). Data subject rights include:

• Access to a copy of the personal data retained by StructuredWeb
• Erasure of personal data retained by StructuredWeb (this right is also referred to as the "right to be forgotten")
• Ceasing processing activities of personal data by or behalf of StructuredWeb based on some objection.
• Rectification (correction) of personal data retained by StructuredWeb
• Restriction of the processing activities for personal data by StructuredWeb
• Portability of personal data from StructuredWeb to another entity
• Excluding the individual from automated decision-making by StructuredWeb
• Removing the individual from any direct marketing by StructuredWeb

The details outlined below describe how StructuredWeb, as a data controller, will respond to any Data Rights Requests.

Response to a Data Rights Request
The data controller of an individual's personal data is primarily responsible for responding to a Data Rights Request and for helping the requestor to exercise their rights under applicable data protection laws. For example, where an employee makes a Data Rights Request to StructuredWeb, StructuredWeb is the data controller for the personal data held and processed about the employee in the employment relationship.

If StructuredWeb processes an individual's personal data as a data processor, such as on behalf of a customer who is the data controller, StructuredWeb must promptly inform the data controller of the Data Rights Request and provide reasonable assistance to help the requestor exercise his or her rights in accordance with the data controller's duties under applicable data protection laws.

Unless otherwise directed by contractual obligation, StructuredWeb will refer all Data Subjects who contact StructuredWeb directly to the client specified in contractual obligation to exercise their Data Subject Rights.

The Release Procedure:
StructuredWeb takes reasonable precautions to ensure that Personal Data released to a client, or any third party are verified and monitored to only be released to an authenticated Data Subject and cannot be used to identify another person. Our release procedures follow applicable laws/contractual obligations as a response to any data subject request.

If requested, StructuredWeb will furnish documentary evidence to fulfill contractual obligations, on the following as applicable:

• The procedures used to identify and validate data subjects making the request on the usage and deletion of their personal or confidential data.
• Documentation and record keeping of evidence concerning data subject request on the location of personal data or where the personal data is being held.
• Communication between StructuredWeb and the data subject which include procedures to take and gain access regarding their personal data.
• Documentation where data subject request is denied and retained evidence of Data Controller review and approval.
• Documentation on data subject's disagreement and escalations concerning their personal data.
• Monitoring procedures to verify and validate data subjects on the request of their personal and confidential data during collection, creation, and update as necessary.

Personal data StructuredWeb shares with third parties
If StructuredWeb shares personal data with third parties (such as data processors), it is StructuredWeb' responsibility to inform those third parties of any Data Rights Request to rectify, delete, or restrict personal data unless it would involve disproportionate effort or it is impossible.

If requested, StructuredWeb must provide details of those third parties to which a requestor's personal data has been disclosed.

How to make a Data Rights Request
Any Data Rights Requests, as outlined by this policy, may be directed to privacy@structuredweb.com..

If, as a StructuredWeb employee, you receive a Data Rights Request from another StructuredWeb employee, former employee, customer, or other party, the request should immediately be sent to privacy@structuredweb.com., together with the date on which the request was received and any other details provided by the requestor.

StructuredWeb’s DPO will make an initial assessment of any Data Rights Request to assess whether StructuredWeb is the data controller or a data processor and will verify that the request is valid. Any Data Rights Request must be made by the individual about whom the personal data pertains, and verification of identity may be required.

• If it is determined that a customer or other third party is the data controller in relation to a Data Rights Request, StructuredWeb will notify the appropriate data controller of the request as soon as possible and will assist the data controller with complying with such request (in accordance with any contract terms or other obligations outlined by applicable data protection law).
• If it is determined that StructuredWeb is the data controller in relation to a Data Rights Request, the requestor will be contacted in writing to confirm receipt of the request and seek confirmation of identity (if not already validated).

Where StructuredWeb is not exempt under applicable data protection laws from fulfilling a Data Rights Request and following receipt of any further information needed to satisfy the request, StructuredWeb will respond to the request.

Exemptions to a Data Rights Request
A data controller may decline to act on a Data Rights Request if the request is excessive and/or manifestly unfounded (for example because of repeated requests for the same data). Where StructuredWeb is permitted to decline a request, StructuredWeb must be able to demonstrate that the request is excessive and/or manifestly unfounded.

In some cases, specific additional exemptions may apply. Where specific exemptions apply to particular Data Subject Rights, these exemptions are more fully explained below.

If StructuredWeb is exempt from the requirement of fulfilling a Data Rights Request, StructuredWeb will notify the requestor that it intends to decline the request and the basis for the exemption.

Timeframe for responding to Data Rights Requests
Data Subject Requests must usually be responded to without undue delay and no later than one (1) month following receipt of the request. Where a request is particularly complex, additional time may be required.

Where a request cannot be completed in the typical timeframe, StructuredWeb is entitled to extend the response period by up to two (2) additional months provided StructuredWeb gives the requestor notice within the original timeframe of the intent to respond and the reason for the delay.

Fee for Data Rights Requests
StructuredWeb is not permitted to charge for responding to a Data Rights Request unless the request is determined excessive and/or manifestly unfounded or StructuredWeb is otherwise exempt from the obligation to act on the request (as outlined above). In such cases and where StructuredWeb agrees to respond to a request, a reasonable fee may be charged based on the administrative costs of providing the information or taking the action requested.

Data Rights Requests in more detail
Requests for access to personal data
The right of access: Right of an individual to obtain confirmation of whether a data controller processes personal data about him or her and, if so, to be provided with the details of the personal data processed and specific aspects of processing activities related to such personal data, and to receive a copy of such details.

Information to be provided in response to a request.
An individual is entitled to request a copy of the personal data about him or her held and processed by a data controller. Such data must be provided in intelligible form.

Information provided in response to a request should include:

• A description of the personal data and categories of personal data concerned.
• The estimated period for which the personal data will be stored.
• The purposes for which the personal data is being held and processed.
• The recipients or types of recipients to whom the data is, or may be, disclosed by the data controller.
• Confirmation of the individual's right to request rectification or deletion of the personal data or to restrict or object to processing of the data.
• Confirmation of the individual's right to lodge a complaint with a competent data protection authority.
• Details about the source of the personal data if it was not collected from the individual.
• Details about whether the personal data is subject to automated decision-making (including profiling)

Where personal data is transferred from the European Economic Area to a country outside of the European Economic Area, the appropriate safeguards implemented by the data controller related to such transfers in accordance with applicable data protection laws.

Format of requests

• An access request does not require any prescribed format or reference to data protection law to qualify as a valid request, although this can be helpful in identifying the type of request.
• An access request does not need to be made in writing, but it is helpful for record-keeping purposes and to clarify the request. If made in writing, the requestor should provide an email address and confirmation of whether the data requested can be sent via email (or otherwise specify preferred means by which the data may be received).
• Requests made electronically (e.g. by email) may be responded to electronically (in a commonly used format, such as by attaching pdf documents to an email) unless the individual stipulates otherwise (such as by requesting the data be provided orally or by postal service).

Exemptions

StructuredWeb will not decline to comply with an access request unless it can demonstrate that it is not in the position to identify the requestor, or it is otherwise exempt from its obligations to comply.

Confirmation of Data Subject’s Identity

Appropriate attempts will be made to validate any request. For customers a request will be made to provide a Purchase Order (PO) number and/or signed SOW to confirm connection to the respective customer engagement. For employees/consultants, including former employees/consultants they will be asked to provide appropriate confirmation for validation within StructuredWeb’s HRIS system such as StructuredWeb Engagement details, date(s) of employment/engagement, etc. At all times StructuredWeb will make every endeavor to ensure we confirm identity when a request is made so as to ensure information is not given to an incorrect party.

Requests to rectify personal data.

The right to rectification: Right of an individual to obtain rectification, without undue delay, of inaccurate personal data a controller may process about him or her.

• Rectification by StructuredWeb- If StructuredWeb holds inaccurate or incomplete data about an individual, the individual is entitled to request that the data is rectified.
• Rectification by third parties- If StructuredWeb rectifies an individual's data in response to a request, StructuredWeb will seek to notify third parties with whom StructuredWeb has shared this data (i.e. data processors).
• Supplementary statements to complete information- If a request to rectify data involves ensuring the data is complete, StructuredWeb may consider including a statement made by the requestor to provide the complete data.

Requests to delete personal data ("right to be forgotten")

The right to erasure: Right of an individual to require a controller to delete personal data about him or her on specific grounds – for example, where the personal data is no longer necessary to satisfy the purposes for which it was collected.

Circumstances in which the right to erasure may apply.

An individual may request that a data controller delete their personal data in the following circumstances:

• The personal data is no longer necessary for the purpose for which it was collected, used, or otherwise processed.
• The personal data was unlawfully processed by data controller.
• Processing occurred on the basis of consent from the individual and they withdraw consent (and no other legitimate grounds for processing the data exists);
• The individual objects to the processing (see below) and no overriding legitimate grounds exist for processing the data.
• The personal data needs to be deleted to comply with the data controller's legal obligations; and/or
• The personal data was collected in connection with services offered on the data controller's website.

Erasure of personal data by third parties

If StructuredWeb deletes an individual's data in response to a request, StructuredWeb will seek to notify third parties with whom StructuredWeb has shared this data (i.e. data processors).

It is unlikely that StructuredWeb will have made personal data public but in this case and if obligated to delete the personal data pursuant to a Data Rights Request, StructuredWeb will also take reasonable steps, including technical measures (taking into account available technology and the cost of implementation), to inform other controllers storing, using or otherwise processing the personal data of this request for deletion, including deletion of any links to, copies or replication of this personal data.

Exemptions

In addition to the general exemptions previously outlined, StructuredWeb is exempt from the obligation to delete personal data where the processing of the data is necessary for:

• Compliance with StructuredWeb' legal obligations.
• Establishing, exercising, or defending legal claims.
• Scientific, historical, or statistical purposes, and where erasure of the data would make this processing impossible or seriously impair it.
• Exercising the right of freedom of expression and information
• Public interest reasons including:
  - performance of a task carried out in the public interest,
  - exercise of official authority vested in StructuredWeb,
  - for public health reasons or archiving in the public interest (although these exemptions are unlikely to apply to StructuredWeb); and/o

Right to object to processing

The right to object: Right of an individual to object, on grounds related to his or her situation, to a controller's processing of personal data about him or her, if processing is based on the legitimate interests of the controller.

Circumstances in which individuals can object to processing.

• If StructuredWeb relies upon the grounds that use, storage or processing of personal data is in its legitimate interests, an individual may object to that processing.
• Individuals can also object to processing where such processing is required to perform a task in the public interest or to exercise an official authority vested in the controller.

Exemptions

In addition to the general exemptions outlined in Section 6, StructuredWeb is exempt from the obligation to cease processing of personal data following an objection if:

• StructuredWeb can demonstrate compelling legitimate interests for processing the data that override the interests, rights, and freedoms of the individual.
• The processing is required to establish, exercise, or defend a legal claim; and/or
• The processing is for scientific, historical, or statistical purposes carried out in the public interest.

Right to object to direct marketing

The right to object to direct marketing: Right of an individual to object to direct marketing, including profiling related to direct marketing.

StructuredWeb will seek to stop using personal data for direct marketing if it receives such a request from customers, partners, and others. StructuredWeb is unlikely to send direct marketing communications to employees and other workers in the context of their employment relationship or engagement.

Right to restriction

The right to restriction: Right of an individual to require a controller to restrict processing of personal data about her or her on specific grounds.

StructuredWeb will consider requests to restrict processing, although this is less likely to apply in the employment relationship (and/or the relationship with other workers).

Individuals may seek a restriction on StructuredWeb' processing of their personal data where, for example, they await a response to their request for access to their personal data.

Right to data portability

The right to data portability: Right of an individual to receive his or her personal data from a controller in a structured, commonly used, and machine-readable format in order to transfer that data to another controller, where the processing is: based on the consent of the individual and carried out by automated means.

StructuredWeb will consider requests to exercise the right of data portability, although this is less likely to apply in the employment relationship (and/or the relationship with other workers).

Right not to be subject to automated decision-making (including profiling)

The right not to be subject to automated decision-making: Right of an individual to object to an automated decision made about the individual which has a legal or other similar effect on the individual. Individuals can ask for manual, human review in the decision-making process.

StructuredWeb will consider requests to perform a human review, rather than using automated decision-making, although this is much less likely to apply in the employment relationship (and/or the relationship with other workers)

Conflict Resolution

Should there be a conflict between required resolution and response (eg: EUGDPR "right to be forgotten" but need to keep assets from an engagement for 4+ years) our action would be to escalate to the customer team for advice/direction.

De-identification, Aggregation and Anonymization

• In instances where StructuredWeb receives a data set from a customer/client/user with reduced identifiability, encompassing pseudonymous, Not in a Position to Identify (NPI), unlinked pseudonymous, aggregate, anonymous, or any term associated with those classifications (e.g., de-identified), StructuredWeb has established specific data handling practices.
• Unless specified otherwise by an applicable law, contract or regulation, StructuredWeb will maintain the data of the types listed above in the exact state in which it was received, ensuring the preservation of the specified level of identifiability throughout any processing or storage activities in adherence with existing and applicable law, contract and regulatory requirements.
• Additionally, unless required otherwise by an applicable law, contract, or regulation, StructuredWeb will not increase the identifiability of data sets (i.e. re-identify individuals who are part of a data set through joining to other data sets, etc.).
• If a business need or case requires increasing the identifiability of any data, the business need or case will be reviewed to ensure that all existing laws, contracts, and regulations are adhered to.

Changes to Our Privacy Policy and Practices

From time to time, we may revise this Privacy Policy. The date of the last update to this Privacy Policy will always be indicated at the beginning of this document. We will notify you before making significant changes to this Privacy Policy and seek your consent where applicable regulations, especially GDPR and CCPA, require it.

GDPR and CCPA Complaints: If you believe that we are not processing your personal information in accordance with this Privacy Policy or European data protection laws (for European users) or the CCPA (for Californian users), you have the right to lodge a complaint with a supervisory authority or seek judicial remedy.