Crownpeak Privacy Notice

Our responsibilities

This privacy notice for Crownpeak Technology, Inc. and its affiliates (including Crownpeak Intermediate Holdings, Inc., Attraqt Group Ltd., Evidon Inc., Magus Research Limited and Crownpeak Technology GmbH ('we', 'us' or 'Crownpeak,') describes how and why we collect, store, use, and/or share (‘process’) your personal data and information when you use our services or visit our website.

We keep this notice under review and will reflect any updates or changes to practice within this notice (to reflect changes in operations and the way we process your data). This notice was last updated on 9th May 2023.

Contacting Us

Crownpeak Technology, Inc. is the Controller and responsible for the processing of your personal data, including overseeing questions in relation to this privacy notice. If you have any questions about this notice, including any requests to exercise your legal rights, please contact us at:


Crownpeak Technology

Attention:
Privacy Department,
707 17th St.Floor 38,
Denver,CO 80202
United States of America

privacy@crownpeak.com

What personal data will we collect about you?

Personal data, means any information about an individual from which that person can be identified. It does not include data where the individual’s identity has been removed (anonymous data).

Category: Online Identifiers
Examples: Your name, job title, contact details (e.g., phone number, email address, postal address or mobile number) and authentication details (e.g., user identification number, username, password to access the services).

Category: Personal Identifiers
Examples: Your IP address, your URL address (uniform resource identifier), your domain name, your browser type, your operating system, your internet service provider, geographic location information from your IP address.

Category: Internet or other similar network activity
Examples: Online activity such as the pages you view, the duration of your visit, the pages you view immediately before and after you access the website/Platform, methods used to browse away from the page, and if you are referred to our website via a third party we will determine the referring site (e.g. an ad, a search engine, or media piece).

How will we collect your personal data?

We use different methods to collect data from and about you including:

Personal data and information we collect directly from you: this is information about you that we collect when we verify your identity, register you to use our websites or platforms, provide customer support, exchange correspondence with you as well as administer and host our events. This information is also collected when you register to receive marketing communications.

Personal data and information we collect automatically: this is information about you that we collect when you visit our website and platforms. This information is also collected when you leave a comment or complete our website contact forms. We may store these in log files and combine it with other information we collect about you.

Personal data and information we receive from other sources: we may collect information about you from third parties including social media and content syndicators. Our website and platforms may integrate with social networking services. We do not control such services and are not liable for the manner in which they operate. While we may provide you with the ability to use such services in connection with our website and platforms, we are doing so merely as an accommodation and, like you, are relying upon those third-party services to operate properly and fairly.

How do we use your personal data?

The following sets out why we process your personal data and information and our lawful basis for processing your personal data, in accordance with applicable legislation in the European Union and United Kingdom. We may rely on more than one lawful basis for processing your personal data, depending on the context of the processing activity.

Purpose/activity: To identify you and create a profile when you register with us to use our services or platforms.
Lawful basis for processing: This processing is necessary for the performance of a contract.

Purpose/activity: To verify your identity when you access and use our platforms to ensure the security of your information.
Lawful basis for processing: This processing is necessary for the performance of a contract.

Purpose/activity: To notify you about changes to our services.
Lawful basis for processing: This processing is necessary for the performance of a contract.

Purpose/activity: To deal with your enquiries and requests.
Lawful basis for processing: This processing is carried out under our legitimate interests for us to respond to your inbound queries.

Purpose/activity: To administer our site and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes.
Lawful basis for processing: This processing is carried out under our legitimate interests so that we can better understand and improve our website and services.

Purpose/activity: To send you promotional and marketing information about our products and services.
Lawful basis for processing: This processing is carried out for our legitimate interests for us to promote our products and services to your organisation. You can tell us not to contact you with updates and information regarding our products and services by following the unsubscribe instructions on any communications sent to you. You also have the right to opt-out of marketing at any time by emailing privacy@crownpeak.com.

Purpose/activity: To personalise the marketing messages we send by analysing the details of the products and services you have with us.
Lawful basis for processing: This processing is carried out for our legitimate interests so that we can tailor our products, services and communications in a way that is timely and relevant to you by better understanding your requirements.

Purpose/activity: For the provision of Crownpeak GmbH newsletter.
Lawful basis for processing: This processing is carried out only when you have provided your consent. You can tell us not to contact you with updates and information regarding our products and services by following the unsubscribe instructions on any communications sent to you. You also have the right to opt-out of marketing at any time by emailing privacy@crownpeak.com and refer to the Crownpeak GmbH Newsletter in the subject line.

Purpose/activity: To ensure the accuracy of records of the relevant third-party employees or contractors working on our facilities.
Lawful basis for processing: This processing is carried out under our legitimate interests to ensure the accuracy of the records we maintain.

Purpose/activity: To provide our partners with aggregated information about how users interact with their sites and providing aggregated trend reports to third parties.
Lawful basis for processing: This processing is carried out under our legitimate interests to improve our partners’ understanding of their user website interactions.

Purpose/activity: To defend ourselves against legal claims and/or comply with legal obligations to which we are subject.
Lawful basis for processing: The processing is necessary in our legitimate interests (for example, to defend ourselves against a legal claim that you or your organisation may make against us) or so that we can comply with our legal obligations.In certain circumstances, we will process your personal data based on our legitimate interests. We have decided this by carrying out a balancing exercise to make sure our legitimate interest does not override your privacy rights as an individual.

How long will we keep your personal data?

We may retain your personal data for as long as we have a relationship with you and for a period of 7 years after our relationship with you has ended.

Sharing your personal data

We will disclose your personal data to:

  • Crownpeak subsidiaries that fall under the Crownpeak group of companies. We may share your personal data with other Crownpeak group companies for marketing purposes, internal reporting, customer insights and service optimization.
  • Service providers and business partners that perform services on our behalf, including improving functionality of our platforms and websites, collecting information about you and assisting us with IT and social media management and data analytics.
  • Analytics, marketing optimization, and search engine providers that assist us in the improvement and optimization of our site.
  • Credit agencies for the purpose of assessing your creditworthiness.
  • Sponsors in the context of Crownpeak hosted events and/or webinars.
  • The prospective seller or buyer of such business or assets in the event that we sell or buy any business or assets.
  • Law enforcement agency, court, regulator, government authority or other third party where we believe this is necessary to comply with a legal or regulatory obligation, such as to comply with a subpoena or other legal process, or otherwise to protect our rights or the rights of any third party, investigate fraud, or respond to a government request.


Use of social media platforms

We maintain Facebook, Instagram, LinkedIn and Twitter profiles in order to inform our users or interested parties as well as customers about our services. These profiles can be accessed through the links available on our website.

As the operator of such social media pages, we have entered into a corresponding joint responsibility agreement with Facebook and LinkedIn. In accordance with these agreements, Facebook and LinkedIn are responsible for responding to your requests as a data subject.

Further information regarding the collection and use of data as well as your rights and protection options can be found at:

Facebook: https://facebook.com/about/privacy/
Instagram: https://instagram.com/about/legal/privacy/
LinkedIn: https://www.linkedin.com/legal/privacy-policy
Twitter: https://twitter.com/en/privacy

Security of your personal data

We support our deep commitment to protecting customers with an extensive program of operational controls and information security practices.

Crownpeak participates in a set of industry-leading independent audits, assessments, and certifications to ensure we continually exceed customers’ security needs. You can see more information, here: https://www.crownpeak.com/solutions/by-need/website-security

In addition, we have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

International transfers of your personal data

Your personal data may be transferred globally in accordance with appropriate safeguards. Your personal data may be transferred to, stored, and processed in a country that is not regarded as ensuring an adequate level of protection for personal data under applicable United Kingdom or European Union legislation.When we transfer personal data to countries outside of the United Kingdom and European Economic Area (‘EEA’), we will do so in a lawful way and may rely on:

- An adequacy decision, which says that the recipient country provides an adequate level of protection of personal data.
- Appropriate safeguards to protect the personal data (for example, the approved Standard Contractual Clauses or International Data Transfer Agreement).
- A lawful exception to the rules relating to overseas data transfers (for example, the transfer is necessary to perform a contract with you, which is in your interests).

Crownpeak Technology, Inc. complies with the EU-U.S. Data Privacy Framework program (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy program Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Crownpeak Technology, Inc. has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework program Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Crownpeak Technology, Inc. has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework program Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

Crownpeak is responsible for the processing of personal data it receives and subsequent transfers to a third party acting as an agent on its behalf. Crownpeak complies with all applicable laws for all onward transfers of personal data from the EU, UK and Switzerland, including the onward transfer liability provisions.

Your Rights

If you reside in the European Union or United Kingdom, you have certain rights in relation to your personal data. If you would like to exercise these rights please submit a request, with a description of the nature of your request and the Personal Data at issue. We have summarised these rights below:

Submit a Request

Right: To be informed
Description: A right to be informed about the personal data we hold about you.

Right: Of access
Description: A right to access the personal data we hold about you.

Right: To rectification
Description: A right to require us to rectify any inaccurate personal data we hold about you.

Right: To erasure
Description: A right to ask us to delete the personal data we hold about you. This right will only apply where (for example):

  • We no longer need to use the personal data to achieve the purpose we collected it for.
  • Where you withdraw your consent if we are using your personal data based on your consent.
  • Where you object to the way we process your data (see the right to object described below).

If you request us to delete your data, we will retain minimum personal data to document these requests and thereby avoid using your personal data for any other purpose.

Right: To restrict processing
Description: In certain circumstances, a right to restrict our processing of the personal data we hold about you. This right will only apply where (for example):

  • You dispute the accuracy of the personal data held by us.
  • Where you would have the right to ask us to delete the personal data but would prefer that our processing is restricted instead.
  • Where we no longer need to use the personal data to achieve the purpose we collected it for, but you need the data for the purposes of establishing, exercising or defending legal claims.

Right: To data portability
Description: In certain circumstances, a right to receive the personal data you have given us, in a structured, commonly used and machine-readable format. You also have the right to require us to transfer this personal data to another organization, at your request.

Right: To object
Description: A right to object to our processing of the personal data we hold about you where our lawful basis is for the purpose of our legitimate interests, unless we are able to demonstrate, on balance, legitimate grounds for continuing to process the personal data which override your rights, or which are for the establishment, exercise or defence of legal claims.

Right: In relation to automated decision-making and profiling
Description: A right for you not to be subject to a decision based solely on an automated process, including profiling, which produces legal effects concerning you or similarly significantly affects you.

Right: To withdraw
Description: A right to withdraw your consent, where we are relying on it to use your personal data (for example, to provide you with brochures and newsletters).

Right: To complain
Description: You have the right to make a complaint to the relevant supervisory authority, depending on your country of residence.

European Union

In the European Union, if you believe that your rights have been violated in the collection, processing or use of your personal data, you can contact the German North Rhine-Westphalia Commissioner for Data Protection and Freedom of Information (Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen).

North Rhine-Westphalia Commissioner for Data Protection and Freedom of Information can be contacted by:

Phone: +49 (0)211 / 38424 – 0
Email: poststelle@ldi.nrw.de
Visiting their website: https://www.ldi.nrw.de

Write to: Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen, Postfach 20 04 44, 40102 Düsseldorf, Germany

United Kingdom

In the United Kingdom, you have the right to make a complaint at any time to the Information Commissioner’s Office, the UK supervisory authority for data protection issues (ico.org.uk) or to any equivalent body in the relevant jurisdiction (collectively, the “ICO”).The Information Commissioner’s Office can be contacted by:

Visiting their website https://www.ico.org.uk
Phone: 0303 123 1113
Write to: Information Commissioner’s Office Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5A

We would, however, appreciate the chance to deal with your concerns before you approach the relevant Data Protection Authorities, so please contact us in the first instance.

EU-US Data Privacy Framework, UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF

In compliance with the EU-US and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Crownpeak Technology, Inc. commits to resolve complaints about your privacy and our collection or use of your personal information transferred to the United States pursuant to the DPF Principles. European Union, Swiss and United Kingdom individuals with DPF inquiries or complaints should first contact Crownpeak at privacy@crownpeak.com.

Crownpeak Technology, Inc. is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC). Crownpeak Technology, Inc. has further committed to refer unresolved privacy complaints under the DPF Principles to an independent dispute resolution mechanism, Data Privacy Framework Services, operated by BBB National Programs based in the United States. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://bbbprograms.org/programs/all-programs/dpf-consumers/ProcessForConsumers for more information and to file a complaint. This service is provided free of charge to you.

If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See: https://www.dataprivacyframework.gov/s/article/G-Arbitration-Procedures-dpf?tabset-35584=2

We would, however, appreciate the chance to deal with your concerns before you approach the relevant Data Protection Authorities, so please contact us in the first instance.

If you would like to contact us with any queries or comments, request further information or exercise any of your available rights set out above, please use the contact details in the ‘Contacting Us’ section at the top of this policy.

All requests will be dealt with, wherever possible, within one month of receipt.

Additional Information for United States Residents

If you reside in the US, this section supplements the information contained in the Privacy Notice. US residents have specific rights regarding their personal data which are set out in Applicable Data Privacy Legislation including but not limited to:

The California Consumer Privacy Act (“CCPA”) became effective on January 1, 2020 and is supplemented by the California Privacy Rights Act (“CPRA”) which became effective on January 1, 2023 (applicable to personal data collected from January 1, 2022) and created a variety of privacy rights for California consumers. Additionally, Illinois (effective January 1, 2006), Virginia (effective January 1, 2023), Colorado (effective July 1, 2023), Connecticut (July 1, 2023), Utah (December 31, 2023), and Oregon (July 1, 2024) have passed laws extending similar privacy rights to their consumers.

Please note that in the preceding twelve (12) months, we have not sold your personal data.

We may disclose certain personal data, such as your first and last name, email address, job title/position, and other similar contact data, financial information, and employment details with our subsidiaries and affiliates and other third parties, including service providers who provide services on behalf of Crownpeak. When personal data is disclosed to a subsidiary, affiliate or other third party the recipient entity will be obligated to provide the same level of privacy protection required under Applicable Data Privacy Legislation.

You have the following Rights in relation to the processing of your personal data;

Personal data Right: Notice of and access to personal data
Description: A right to notice of and access to certain information about our collection and use of your information.

Personal data Right: Correction of personal data
Description: A right to ask for inaccurate personal data to be corrected.

Personal data Right: Deletion of personal data
Description: A right to ask that we delete your personal data relating to you, subject to certain exceptions.

Personal data Right: Objection to the sale of or sharing of personal data
Description: A right to ask for your personal data to not be sold or shared with a third party, subject to certain exceptions.

Personal data Right: To transmit personal data to another entity

Description: A right to ask for your personal data to be transferred, in a readily useable format, to another entity.None of these rights are absolute and there may be circumstances in which we are required or permitted under applicable law not to address your request.

Only you or an authorized agent (that you authorize to act on your behalf), may make a verifiable request related to your personal data.

Any verifiable request (including those to delete data) must:

  • Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal data or an authorized representative (such as by requiring you to provide a signed written authorization that the agent is authorized to make a request on your behalf).
  • Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

We cannot respond to your request or provide you with personal data if we cannot verify your identity or authority to make the request and confirm the personal data relates to you.You may exercise your rights under Applicable Data Privacy Legislation by contacting us by the means described in the ‘Contacting Us’ section of this policy.