Granicus complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF as set forth by the U.S. Department of Commerce. Granicus has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF.
This Privacy Notice and the DPF Principles apply to all Granicus group of companies mentioned above.
For further information regarding our participation in the Data Privacy Framework, please see Sections labeled “Do we Participate in the Data Privacy Framework” and “Where Does Your Data Go?” below.
We may change this policy from time to time to reflect privacy or security updates. We encourage you to periodically review this page for the latest information on our privacy practices.
How Can You Contact Us?
In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, Granicus commits to resolve DPF Principles-related complaints about our collection and use of your personal information. If you have questions about this statement or if you would like to exercise any rights you may have in relation to your personal data, please contact us at firstname.lastname@example.org. If you have additional questions or need to escalate an issue, use the below details to contact our Data Protection Officer (DPO):
Full name of legal entity: Granicus, LLC and Firmstep, Ltd.
Email address: email@example.com
Postal address: 1152 15th Street NW, Suite 800, Washington, DC 20005, USA
Telephone number: 01 651 400 8730
Name of EU representative: DataRep
Email address: firstname.lastname@example.org
You can also contact DataRep using this online form: https://www.datarep.com/data-request
Postal address: The Cube, Monahan Road, Cork, T12 H1XY, Republic of Ireland
What Personal Data Does Granicus Collect?
As part of our marketing efforts, we collect your personal data such as your name, place of employment and address, job position, e-mail address, and phone number. This data is generally gathered directly from you through forms on our website, or over the phone and is used to communicate and personalize such communications with you, including offering products and services that we believe may be of interest to someone in your position. Information about your chosen subscriptions are used to better provide you with relevant e-mail content.
We gather business contact details about you from publicly accessible sources, such as your business or work website, or we may receive business-to-business (B2B) information from third party lists. Our employees may also search for your business contact details online and enter your information on to our marketing database. If you reside in EU/UK, we will ask for your opt-in consent to contact you. If you reside in the USA, we will provide you an option to opt-out on our first communication.
In certain situations, such as when you authorize to prefill a form on our website, we may receive data (such as first name, last name, e-mail address, job title, and company) from your past interaction with our website.
We gather certain data automatically upon your visit to our website, including, browser type, Internet service provider (ISP), referring/exit pages, the files viewed on our site and e-mails (e.g., HTML pages, graphics, etc.), operating system, date/time stamp, and/or clickstream data to analyse trends in the aggregate and administer the site. If you interact with web forms on our site or emails from us, your IP address is captured and used to infer your location, which helps us to serve you relevant content.
Our website also collects cookies. However, we will give you an option to opt-in or out to cookie tracking technologies depending upon your local jurisdiction.
How Do We Justify Collecting Your Data?
We will use your personal data when the law allows us to. While national legislation differs (such as EU national law responses to the ePrivacy Directive), in general it will depend on where you are and whether you are acting in a business or personal capacity.
Most commonly, for marketing purposes, we will process your personal data in the following circumstances:
- Where you positively consent (used more heavily where you are a private citizen), we will not collect your data unless we have your permission (a positive “opt-in” action), or you have reached out to contact us proactively.
- Where it is necessary for our legitimate interests (used more commonly where you are acting in your business capacity). Such as we have a business or commercial reason for using your information) and your interests and fundamental rights do not override those interests. This is normally an “opt-out” scenario, contacting you until you tell us otherwise.
Where we are not certain of your business or personal capacity, we will apply the strictest possible justification (we will assume you are a private citizen, and therefore all services will be an “opt-in” data collection).
Our legitimate interests may include:
- Providing high quality customer service.
- Complying with laws or regulations that apply to us.
- Developing our products and services, and what we charge for them.
- Defining customers for our products and services.
- Seeking your consent when we need it to contact you.
- Providing our customers with relevant marketing, and other high-quality product and service features.
- Keeping our marketing updated and relevant.
For What Purposes Do We Use Your Data?
Our data use depends on the purpose of collection. The main reasons include:
To monitor and analyse web traffic; can be used to keep track of your behaviour on our website.
- Contacting the user, managing contacts, and sending messages
By registering on the mailing list or for the newsletter, your email address will be added to the contact list of those who may receive email messages containing information of commercial or promotional nature concerning our services. Your email address might also be added to this list as a result of signing up to our services or after making a purchase.
By filling in the contact form with your data, you authorize us to use these details to reply to requests for information, quotes, or any other kind of request as indicated by the form’s header.
We may also collect data concerning the date and time when the message was viewed by you, as well as when you interacted with it, such as by clicking on links included in the message.
- Content performance and feature testing (A/B testing)
To track and analyse your responses concerning web traffic or your behaviour regarding changes to the structure, text, or any other component of this website.
- Interaction with online survey platforms
To allow you to interact with third party online survey platforms directly.
- Remarketing and behavioural targeting
To allow us and our partners to inform, optimize, and serve advertising when you visit our website based on your use of our services.
- User database management
To build a profile on you by starting from an email address, name, or other information that you provide to us, as well as to track your activities through analytics features. Your business contact details may also be matched with publicly available information about you (such as social networks’ profiles) and used to build up a picture of your business life that we can use for improving our services. Some of these services may also enable the sending of timed messages to you, such as emails based on specific actions performed by you.
What Happens If We Process Your Data for Other Purposes?
We will only use your personal data for the uses and purposes set out above, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original uses and purposes. If we need to use your personal data for an unrelated purpose, we will notify you and will explain the legal basis which allows us to do so.
What Happens if You Do Not Provide the Data?
Nothing. As marketing is optional and only allowed with your permission, we cannot contact you further. If you reside in the US, we will collect your data and give you the ability to opt-out. If you are in EU/UK, we will contact you only if we have your consent or will contact you to let you know if we have collected your data.
Do We Use Algorithms to Make Decisions About You?
Yes. Our service providers that analyse our website traffic will use algorithms to make decisions about who you are and what your interests are, in order to serve you with targeted advertisements. We will only do this when you have positively consented to this collection and use, which will be presented to you when you enter our website.
Do We Share Your Personal Data With Third Parties?
Yes. We share your personal data with the following categories of recipient:
- Google (Analytics, Website Optimizer)
- Qualified Inc
- ZoomInfo (only for the US)
- Government authorities as permitted or required by law. This may include disclosing your personal data to regulators, or law enforcement authorities. We may transfer and disclose the data we collect about you for the following reasons:
- To comply with a legal obligation, including, but not limited to responding to a court order;
- To prevent fraud;
- To comply with an inquiry by a government agency or other regulator;
- To address security or technical issues; or
- To assist government entities in responding to an emergency
- As part of a business transaction. If the ownership of Granicus changes, or if we merge with or are acquired by another organization, or if we liquidate our assets; your personal data may be transferred to the new organization. If this occurs, the successor organization’s use of your data will also still be subject to this policy and the privacy preferences you have expressed to us.
Do We Sell Your Data to Others?
No. We do not sell marketing data. We do buy business contact details from third party B2B database providers within the US, but we never sell marketing data.
Do We Participate in the Data Privacy Framework?
Yes. Granicus complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF)and the UK Extension to the EU-U.S. DPF as set forth by the U.S. Department of Commerce. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/ and search for “Granicus”.We are responsible for the processing of personal data we receive or subsequently transfer to a third party acting as an agent on our behalf. We will comply with the Data Privacy Framework Principles for all onward transfers of personal data from the EU, and the UK, including the onward transfer liability provisions.
With respect to personal data received or transferred pursuant to the Data Privacy Framework, we are subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
In addition, Granicus commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO),the Gibraltar Regulatory Authority (GRA) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF, and the UK Extension to the EU-U.S. DPF. You may engage such authorities if you have concerns regarding our adherence to the Data Privacy Framework Principles or any applicable privacy law or regulations. We will respond directly to such authorities regarding investigations and resolution of complaints. Under certain conditions, more fully described on the Data Privacy Framework website, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted.
Where Does Your Data Go?
Granicus is owned and operated within the United States. Therefore, the data that we collect from you will be transferred to, and stored at, a destination outside the European Economic Area (“EEA”)/UK.
Granicus’ compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF deems the organization to provide adequate privacy protection, which is a requirement for the transfer of personal data outside of the European Union under the EU General Data Protection Regulation (GDPR), and outside of the United Kingdom under the UK Data Protection Act 2018 and UK General Data Protection Regulation (UK GDPR).
How Do We Protect Your Data?
We are committed to ensuring that your personal data is secure. In order to prevent unauthorized access, loss or disclosure, we have put in place security controls that reduce the risk of a security breach of your personal data.
If a data breach does occur, we will do everything in our power to limit the damage. In case of a high-risk data breach, and depending on the circumstances, we will inform you about remedial actions to prevent any further damage. We will also inform the relevant supervisory authority or authorities of the breach.
Employees and temporary workers are required to follow policies, procedures, and complete confidentiality training to understand the requirement of maintaining the confidentiality of customer information. If they fail to do so, they are subject to disciplinary action. All employees are required to complete privacy and security training. We also offer a wide variety of other training to all employees and temporary workers to help us achieve our goal of protecting your personal data.
How Long Will We Keep Your Data?
Your data will not be retained for a period longer than necessary for the purpose it was collected for. We may also keep data for the relevant statutory period where there is a risk of a legal claim. Particularly, if you are a customer or part of the customer account, we will keep your data for as long as you remain a customer plus legal statutory period (6 years).
What Rights Do You have?
To exercise any of the following rights, please contact email@example.com. Under certain circumstances, by law you have the right to:
- Add your data to a “Do not market” suppression list. This is not erasure of your data, as we need to retain your contact details to know not to use them! We will supply “unsubscribe” links or similar, on all marketing communications.
- Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
- Request correction or completion of the personal data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
- Request erasure of your personal data. This enables you to ask us to delete or remove personal data only where we no longer have good reason for us continuing to process it. You can also exercise this right by visiting our subscription management center.
- Request objection to processing of your personal data. This enables you to object to processing of your personal data where we are relying on a legitimate interest.
- Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it.
- Withdraw your consent to the processing of certain personal data (only where you have previously provided consent).
- Make a complaint to the relevant local, national, or industry privacy regulator.
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal data is not disclosed to any person who has no right to receive it.
Will We Penalize You for Using Your Rights?
We will not discriminate against you for exercising any of your rights under applicable law (such as GDPR, CCPA etc.). Unless permitted by the applicable laws, we will not:
- Deny you goods or services.
- Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
- Provide you a different level or quality of goods or services.
Suggest that you may receive a different price or rate for goods or services, or a different level or quality of goods or services.
Do We Track You Online?
Yes. We do use online tracking technologies, such as cookies or similar technologies to analyze trends, administer the website, track users’ movements around the website, and to gather demographic information about our user base. Depending upon your local jurisdiction you will be provided with a cookie notice when you visit the site. The cookie notice will provide you an option to update your preference.
Currently, various browsers offer a “do not track” or “DNT” option and global privacy control which sends a signal to websites visited by the user about the user’s browser DNT preference setting. We will do our best to respect such signals we receive, and as required where placing tracking technologies on your device, notify you what and why.