Effective May 11, 2018
Beginning May 25, 2018, the European Union’s General Data Protection Regulation (GDPR) will be in effect. These new regulations provide EU residents with greater control over what, how, why, where, and when their personally identifiable data is used, processed or disposed. The regulations expands these rights beyond the borders of the EU, applying to organizations, such as ours, that process personal data of EU residents on behalf of our customers (“Personal Data”). GaggleAMP has been committed to the privacy of our customers and end users, wherever located, since our inception and complying with GDPR principals is no exception.
GaggleAMP, Inc. (“GaggleAMP”, “we”, “us” or “our”) either already meets or is implementing our obligations as a data processor under GDPR. We certified our services, for which we act as a data processor, under both the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework (collectively, “Privacy Shield”) on April 19, 2017. GaggleAMP adheres to the Privacy Shield Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement and Liability. For purposes of enforcing compliance with the Privacy Shield, GaggleAMP is subject to the investigatory and enforcement authority of the U.S. Federal Trade Commission. For more information on Privacy Shield and/or to verify our participation please visit the U.S. Department of Commerce’s Privacy Shield Website. We are committed to periodically reviewing our policies and verifying our compliance.
This GDPR and Privacy Shield Statement (“Statement”) describes how GaggleAMP collects, uses, and discloses certain personally identifiable information that we receive in the United States (“U.S.”) from the European Union; the European Economic Area, and Switzerland. In this Policy, the European Union and the European Economic Area are collectively referred to as the “EU”.
I. Information We Collect
We adhere to the principles of the Privacy Shield with respect to Personal Data provided by: (i) individuals who visit our website and voluntarily provide their information, and (ii) from our customers, vendors, contractors, and agents. As GaggleAMP provides a platform for information controlled and being shared by others, it’s our customers and their users who control the content transmitted across our platform (e.g. images, written content, graphics etc.). To the extent that we merely transmit, route, switch or cache information on behalf of our customers, we may rely upon and require such customer to comply with underlying legal requirements with respect to such processing.
Our service provides a way for our customers to amplify their social media presence and engage their end users, which may be customers, employees, brand ambassadors, colleagues, family & friends, or otherwise in a more impactful way. Through providing this service, the personal information we may collect may include:
1. First and last names
2. Email addresses
3. Username and password for your GaggleAMP account
4. Social media sites you are affiliated with and associated usernames. We do not collect your passwords for your social media accounts. Your password is independently verified by the applicable social media account provider directly.
5. Personal information you submit to us via our customer service methods
6. Usage, viewing, and technical data, including device identifier and/or IP address, or location information
7. Billing information (for subscribers)
8. Log files, information collected by cookies or similar technologies about actions taken when accessing our platform
9. Data submitted by our customers, which we process on their behalf
II. Purposes of Personal Information Collection and Use
GaggleAMP collects, uses and processes Personal Data for the purposes of:
1. Providing information about our products, services and events
2. Providing products, services and support to our customers
3. Communicating with customers, business partners, vendors, agents and contractors about business matters
4. Analysis of information in order to improve business practices, products and services
5. Conducting related tasks for legitimate business purposes
6. Other purposes disclosed at the time of collection
7. Compliance with legal requirements
GaggleAMP will only process Personal Data in ways that are compatible with the purpose for which GaggleAMP collected the Personal Data, or for purposes that the individual or customer providing the Personal Data authorizes. Before we use your Personal Data for a purpose that is materially different than the purpose for which it was collected or that you authorized, we will provide you with the opportunity to opt out. GaggleAMP maintains reasonable procedures to help ensure that Personal Data is reliable for its intended use, accurate, complete, and current. Our customers have employees that act as “Gaggle Managers” that manager their accounts and the end users they invite to participate in their account. Certain information is used in the aggregate to provide analytics to the Gaggle Manager. The Gaggle Manager can access your email address, name, usage info and information that is not tied to you personally but may contain demographic information about the members of the Gaggle in part or as a whole. This aggregated information is also made available outside the Gaggle that the information was collected in to provide overall site demographic information. This aggregate and non-personally identifiable information may be used by GaggleAMP for its business purposes.
III. Data Transfer to Third Parties
1. Third Party Agents or Service Providers. We may transfer Personal Data to our third-party agents or service providers that perform functions on our behalf. You can access our current list of subprocessors here. We enter into written agreements with those third-party agents and service providers requiring them to provide the level of protection required by the GDPR if applicable to such third-party agents and service providers, and if not, then compliance with Privacy Shield or the same level of protection that Privacy Shield requires and limiting their use of the Personal Data to the specified services provided on our behalf. We take reasonable and appropriate steps (i) to ensure that third-party agents and service providers process Personal Data in accordance with our Privacy Shield obligations and (ii) to stop and remediate any unauthorized processing. Under certain circumstances, we may remain liable for the acts of our third-party agents or service providers that perform services on our behalf for their handling of Personal Data that we transfer to them.
2. Third Party Data Controllers. In some cases, we may transfer Personal Data to unaffiliated third-party data controllers. These third parties do not act as agents or service providers and are not performing functions on our behalf. We may transfer your Personal Data to third party software and services companies whose products interact with GaggleAMP products and services in certain instances where a GaggleAMP customer is also a client of such third party. An example of a Third Party Data Controller would be Facebook, Twitter, Linked In, and other social media application. We will only provide your Personal Data to third party data controllers where you have not opted-out of such disclosures. As a policy we work with only third-party data controllers that are GDPR or Privacy Shield compliant, and when possible enter into written contracts with any such third-party data controllers requiring them to provide the same level of protection for Personal Data that GDPR or Privacy Shield, as applicable, requires.
IV. Disclosures for National Security or Law Enforcement
Under certain circumstances, we may be required to disclose your Personal Data in response to valid requests by public authorities or to meet national security or law enforcement requirements.
GaggleAMP maintains reasonable and appropriate security measures to protect Personal Data from loss, misuse, unauthorized access, disclosure, alteration, or destruction in accordance with Privacy Shield.
VI. Access rights
You may have the right to access the Personal Data that we hold about you and to request that we correct, amend, or delete it if it is inaccurate or processed in violation of Privacy Shield. These access rights may not apply in some cases, including where providing access is unreasonably burdensome or expensive under the circumstances or where it would violate the rights of someone other than the individual requesting access. If you would like to request access to, correction, amendment, or deletion of your Personal Data, you can submit a written request to the contact information provided below. We may request specific information from you to confirm your identity. If your Personal Data was provided to us by a GaggleAMP customer, we may facilitate your access to such data by directing you to the customer that provided your data to us.
VII. Staff and Responsibilities
Everyone who works for or with GaggleAMP has some responsibility for ensuring data is collected, stored and handled appropriately. Only employees who need to access or know the Personal Data in order to accomplish their work have access to such Personal Data. Our employees that have access to Personal Data must ensure that it is handled and processed in line with this policy and data protection principles. The Board of Directors (“Board”) is ultimately responsible for ensuring that GaggleAMP meets its legal obligations. GaggleAMP has designated the Chief Technology Officer to oversee its information security policies and procedures, including its compliance with the EU and Swiss Privacy Shield program. The Chief Technology Officer shall review and approve any material changes to this policy as necessary.
VIII. Questions and Concerns
Any questions, concerns, or comments regarding this Statement or our use of your Personal Data, please contact us at firstname.lastname@example.org.
22 McGrath Highway, Suite 204
Somerville, MA 02143
We reserve the right to amend this Policy from time to time consistent with GDPR and Privacy Shield requirements.