Content Experience Hub (“CXH”)
Effective on: 3/22/2023
Introduction and Scope
Syndigo LLC (“Syndigo,” “we,” “us,” “our”) takes the protection of personally identifiable information (“Personal Data”) very seriously. This Privacy Notice (the “Notice”) addresses individuals whose Personal Data we may receive in our web-based software application, Content Experience Hub (“CXH”). In particular, we may receive Personal Data of customer-appointed key contacts associated with products that are syndicated with CXH, as well as web analytics data relating to website visitors of our customers using Syndigo’s Enhanced Content application.
In operating CXH, we act only as a storage and service provider. Our access to the Personal Data within CXH is limited to that strictly needed for account administration matters to supply the services our customers have asked for, or as required by law.
Please read this Notice to learn more about how we collect, use, and otherwise process your Personal Data within CXH. This Notice also explains your rights under the General Data Protection Regulation (“GDPR”), the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (“CCPA”), and other applicable privacy laws (“Applicable Laws”).
This Notice does not apply to Personal Data we collect by other means, such as Personal Data that we receive directly through Syndigo’s own publicly accessible website (www.syndigo.com), as part of our sales and marketing efforts, and the Personal Data of our employees.
This Notice also does not apply to the Personal Data we collect from our customers’ users of CXH for customer support and product improvement purposes, for which we act as a “data controller”. The Personal Data submitted to us as a data controller within CXH is governed by the Syndigo Privacy Notice (available at https://syndigo.com/legal/privacy-policy/) and Applicable Laws.
In the context of this Notice, Syndigo acts as a “data processor” or “service provider” for the Personal Data we process for our customers through CXH. This means that our customers determine the type of Personal Data they provide to Syndigo to process on their behalf. We typically have no direct relationship with the individuals whose Personal Data we receive from our customers.
Basis of Processing
Within the scope of this Notice, we process Personal Data based on the documented instructions of our customers. To learn about our customers’ lawful bases for processing your Personal Data, please read their privacy notices.
How We Receive Personal Data
We may receive your Personal Data when:
- you provide it directly to us as part of using CXH;
- our customers (including their employees, contractors, and other representatives of the company) provide it to us;
- you visit our customer’s website (only applicable to website visitors of Syndigo customers using Enhanced Content); or
- we receive it from other companies within our corporate group.
Categories of Personal Data
We may process the following types of Personal Data:
- biographical information, such as first and last name;
- professional information, such as business email, role/job title, and company name;
- contact information, such as email address, phone number, and physical address;
- account information, such as username and password; and
- web analytics data, such as user, session, and visit IDs (randomly generated GUID), IP address, and site behavior (only applicable to visitors of websites where customer Enhanced Content is embedded).
Purposes of Processing
We may process your Personal Data for:
- enabling the use of CXH (for example, to provide you with access to CXH);
- providing web analytics to Syndigo customers who use Enhanced Content; and
- ensuring that only authorized users access CXH.
We keep Personal Data for as long as instructed by the respective customer. Such a customer typically acts as a data controller.
Sharing Personal Data with Third Parties
We may share Personal Data with our subsidiaries and affiliates, and with our service providers (listed here).
Our service providers process Personal Data on our behalf and agree to use the Personal Data only to aid us in operating CXH or as required by law. Our service providers may provide:
- application hosting services;
- cloud storage services;
- colocation data services;
- records and data management services;
- Database Administration (DBA) services;
- IT services;
- security services;
- email software;
- CRM services; and
- analytics services.
Some of these third parties may be outside of the United States. However, before transferring your Personal Data to these third parties, we will either ask for your explicit consent or require the third party to maintain at least the same level of protection and security for your Personal Data that we do. We remain responsible for Personal Data that we transfer to third parties within the scope of our Privacy Shield certification. However, we are not responsible for any unauthorized or improper processing of your Personal Data if we can prove that we are not in any way responsible for the event giving rise to the damage.
In addition, some of these third parties may be outside of the European Economic Area, Switzerland, and the United Kingdom. In some cases, the European Commission or the relevant authorities of your country may not have determined that the countries’ data protection laws provide a level of protection equivalent to European Union law. We will only transfer your Personal Data to third parties in these countries when proper safeguards are in place. Such safeguards include the 2021 European Commission approved standard contractual data protection clauses, Binding Corporate Rules for Processors, and appropriate technical, contractual, and organizational supplemental measures to ensure the safety of the Personal Data.
Other Disclosure of Your Personal Data
Depending on the circumstances, we may need to disclose your Personal Data if the law requires it, or if we have a good-faith belief that we need to do so to comply with official investigations or legal proceedings (where initiated by government officials or private parties). We may also disclose your Personal Data if we sell or transfer all or some of our company’s business interests, assets, or both, or in connection with a corporate restructuring. Finally, we may disclose your Personal Data to our subsidiaries or affiliates for business purposes, if necessary and as described in the section above.
We reserve the right to use aggregated, anonymous data about individuals whose Personal Data we process in our CXH application for any legal business purpose. Such data does not include any Personal Data. The purposes may include analyzing usage trends or seeking compatible advertisers, sponsors, and customers.
In the unlikely event that we must disclose your Personal Data to comply with official investigations or legal processing started by governmental and/or law enforcement officials, we may not be able to ensure that such recipients will maintain the privacy and security of your Personal Data.
Data Integrity & Security
Syndigo has implemented and will maintain technical, administrative, and physical measures that are reasonably designed to help protect Personal Data from unauthorized processing such as unauthorized access, disclosure, alteration, or destruction.
Your Privacy Rights
If we process your Personal Data, you may have the right to request access to (or to update, correct, or delete) such Personal Data. You may also have the right to ask that we limit our processing of such Personal Data, as well as the right to object to our processing of such Personal Data. You may also have the right to data portability.
If we have received your Personal Data in reliance on our Privacy Shield certification, you may also have the right to opt out of having your Personal Data shared with third parties and to revoke your consent to our sharing your Personal Data with third parties. You may also have the right to opt out if your Personal Data is used for any purpose that is materially different from the purpose(s) for which it was originally collected or which you originally authorized.
Please note that requests should generally be sent directly to the Syndigo customer who provided your Personal Data to us. Syndigo has limited rights to access and process the Personal Data our customers submit to us or instruct us to process. If sending the request directly to the Syndigo customer is not possible for any reason and you decide to contact us with such a request, please provide the name of the Syndigo customer who submitted your Personal Data to us. We will forward your request to that customer and provide any needed assistance as they respond to your request.
EU-U.S. and Swiss-U.S. Privacy Shield Frameworks
For Personal Data processed in the scope of this Notice, Syndigo complies with the principles of the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks (the “Privacy Shield”), as adopted and set forth by the U.S. Department of Commerce, regarding the processing of the applicable Personal Data. We commit to adhere to the Privacy Shield Principles and have certified our adherence to the Department of Commerce. However, note that Syndigo does no longer receive Personal Data in reliance of the Privacy Shield.
To learn more about the Privacy Shield, and to view our certification, please visit https://www.privacyshield.gov and https://www.privacyshield.gov/list, respectively.
VeraSafe Privacy Program
Syndigo is a member of the VeraSafe Privacy Program. This means that VeraSafe has assessed our data governance and data security (regarding Personal Data processed within the scope of this Privacy Notice) for compliance with the VeraSafe Privacy Program Certification Criteria. The certification criteria require that participants maintain a high standard for data privacy. Participants must also implement specific best practices regarding notice, onward transfer, choice, access, data security, data quality, recourse, and enforcement.
Where a privacy complaint or dispute cannot be resolved through our internal processes, we have agreed to participate in the VeraSafe Privacy Shield Dispute Resolution Procedure. Subject to the terms of the VeraSafe Privacy Shield Dispute Resolution Procedure, VeraSafe will provide appropriate recourse free of charge to you. To file a complaint with VeraSafe and participate in the VeraSafe Privacy Shield Dispute Resolution Procedure, please submit the required information through the webform located here: https://www.verasafe.com/privacy-services/dispute-resolution/submit-dispute/
If a complaint or dispute related to Personal Data cannot be resolved through Syndigo’s internal process, in addition to the VeraSafe Dispute Resolution Procedure, Syndigo has agreed to cooperate with the EU data protection authorities and the Swiss Federal Data Protection and Information Commissioner, and to take part in the dispute resolution procedures of the panel established by such data protection authorities.
If your dispute or complaint cannot be resolved by us, nor through the dispute resolution program established by VeraSafe, you may have the right to require that we enter binding arbitration with you under the Privacy Shield’s “Recourse, Enforcement and Liability Principle” and Annex I of the Privacy Shield.
Syndigo is subject to the investigatory and enforcement powers of the United States Federal Trade Commission.
European Union Supervisory Authority Oversight
If we process your Personal Data and you are not satisfied with how we process your Personal Data, you may also have the right to lodge a complaint with a data protection regulator. For example, under the GDPR you can file a complaint with a data protection authority in one or more of the European Union Member States. In particular, you may have the right to file a complaint with the data protection authority in the European Union Member State where you reside, work, or where you believe that there has been an infringement of the GDPR.
Privacy of Children
Our services are not meant for anyone under the age of 18 and we do not knowingly collect Personal Data from minors. If we learn that we process Personal Data from a child under the age of 13, we will delete the Personal Data we have stored as quickly as possible. If you believe that we might have any Personal Data from or about a child under the age of 13, please contact us or the customer that has provided the child’s information to us.
Changes to this Notice
If we make any material change to this Notice, we will post the revised Notice to this web page. We will also update the “Effective” date. By continuing to use CXH after we post any of these changes, you accept the modified Notice.
If you have any questions about this Notice or our processing of your Personal Data, please write to our Privacy Team by email at email@example.com or by postal mail at:
Attn: Debra Osborn, Senior Counsel
141 W. Jackson Blvd., Ste 1220
Chicago, IL 60604
Please allow up to four weeks for us to reply.
European Union Representative
We have appointed VeraSafe as our representative in the EU for data protection matters. While you may also contact us, VeraSafe can be contacted on matters related to the processing of Personal Data. To contact VeraSafe, please use this contact form: https://www.verasafe.com/privacy-services/contact-article-27-representative/ or via telephone at: +420 228 881 031.
Alternatively, VeraSafe can be contacted at:
VeraSafe Ireland Ltd
Unit 3D North Point House
North Point Business Park
New Mallow Road
United Kingdom Representative
We have appointed VeraSafe as our representative in the United Kingdom for data protection matters. While you may also contact us, VeraSafe can be contacted on matters related to the processing of Personal Data. To contact VeraSafe, please use this contact form: https://verasafe.com/public-resources/contact-data-protection-representative or via telephone at: +44 (20) 4532 2003.
Alternatively, VeraSafe can be contacted at:
VeraSafe United Kingdom Ltd.
37 Albert Embankment
London SE1 7TL
Data Protection Officer
We have appointed VeraSafe as our Data Protection Officer (DPO). While you may contact us directly, VeraSafe can also be contacted on matters related to the processing of Personal Data. VeraSafe’s contact details are:
100 M Street S.E., Suite 600
Washington, D.C. 2000