Spredfast Privacy Center
Spredfast takes privacy and data protection seriously. We value your trust.
Introduction: We are certified under the EU-US Privacy Shield and Swiss-US Privacy Shield programs. We also have implemented measures to protect data on our platform under applicable rules in regulated industries, including health care (“HIPAA”) and financial services (“FINRA”). In addition, we are compliant with the General Data Protection Regulation (“GDPR”). See below for further information.
Documents & Resources:
- Master Subscription and Services Agreement (PDF)
- Data Protection Addendum (PDF)
- FAQs on our MSA and Data Protection FAQs
- Data Subject Request Form (PDF)
Summary & FAQs
Overview & Purposes for Data Collection: We collect information from our customers (“Customers”) who use our SaaS and related services (“Spredfast Services”) and visitors (together with Customers, “Visitors”) for legitimate business purposes only, primarily to provide our Spredfast Services and operate the websites we use to run our business (our “Websites”).
We also process content on behalf of our Customers as their data processor. This content consists of content published or generated through the Spredfast Services, such as content Customers collect from, or contribute to, Facebook, Twitter or other social media networks. It is our Customers, and not Spredfast, who control how such information and content is collected and used. Spredfast processes (rather than controls) such content in accordance with instructions from Customers.
The Spredfast Services enable Customers to connect other accounts they may have on social media networks or apps, such as Facebook and Twitter. We are not in control of data and content on other websites, apps, networks, etc., even if it runs through our platform. Our Customers are required to abide by the applicable policies and requirements of social media networks or any other websites or apps used in connection with the Spredfast Services.
What Information Do We Collect? We collect information provided to us by individuals on our website as well as content and third party information provided to us or accessed by Customers through Spredfast Services. We also collect information from computers and internet devices primarily to enable us to provide and improve our services. We receive information from Customers and third parties. Customers provide us with data to enable them to log on and use Spredfast Services and content that we process through Spredfast Services.
It is important to understand that we do not own or operate our Customers’ websites or the social media networks or other websites used in connection with the Spredfast Services. When a Customer provides or accesses information through one of our Spredfast Services, we may receive information from the Customer input, in response to, or by way of interaction with, content generated by Customers using Spredfast Services as well as from the Customer’s website or the relevant social media site, including information about actions that the third party takes and may include additional information about the third party that was published on or provided to the Customer website or social media site.
Customers may also use or transfer information collected from their use of Spredfast Services and may transfer such information from our systems to their systems. We do not control how Customers use the information collected by way of their use of Spredfast Services, but Customers must comply with all applicable laws and any applicable terms and conditions, such as terms and conditions of social media networks, when collecting and using such information.
What Does Spredfast do to Protect Data? Spredfast takes data protection very seriously and takes all reasonable measures to secure all data its Customers and partners submit to its platform. Spredfast has successfully passed a SOC 2 audit each year and employs industry best practices. For example, Spredfast trains its personnel on security and privacy measures, enforces controls on access to its systems and encrypts any sensitive data. Additional details about Spredfast’s security practices are available upon request.
What Role Do Social Media Networks or Other Third Parties Play in Data Protection? Data and content that comes from, or is provided to, social media networks or other third party sites will be subject to the data protection and privacy policies of those social media networks and third parties. Spredfast Services provide tools for Customers to access and interact with such sites, but since data and content contributed to or accessed from the Spredfast Services reside on those third party sites, they are also protected in accordance with their policies. This is also the reason Customers and Spredfast must agree to the applicable terms and conditions of such social media networks and third parties.
What Social Media Networks or Third Parties Are Involved & How Do Customers Know? Customers know which of the Spredfast tools interact with which social media networks or other sites because they are described in the product descriptions made accessible to Customers and/or they are apparent on the Customers’ dashboards. Customers can find the applicable privacy policies posted on each of those sites. If they don’t want’ to use any particular social media network or other site, Customers are free to make those choices.
How is Deletion and Correction of Personally Identifiable Information Handled? At the request of a Visitor, we will delete from our active databases all personally identifiable information the Visitor provided to us. In addition, at the request of a Customer, we will delete from our active databases all Personally Identifiable Information collected through Spredfast Services collected by such Customer. However, we may not be able to delete information accessed or provided through Spredfast Services if we do not control such information, such as information that originated through a social media network and is consequently controlled by such social media network. In addition, we may retain such information to the extent required by law or document retention policies or if copies are kept in archival backups, but in no event will we use or disclose such information, except as required by law.
International Data Protection: We are based in the US, but also have operations in the UK, Germany and Australia. We have certified to the Privacy Shields (defined below) and are compliant with the GDPR, as explained below, and the applicable Australian privacy laws and regulations.
Where Does Spredfast Process and Store Data: Spredfast processes and stores data on the Amazon Web Services (“AWS”) servers that it licenses, which are located in the United States, unless otherwise specifically agreed in writing by Spredfast and a Customer. AWS maintains that they have certified to the Privacy Shields and will be GDPR compliant as well. See https://aws.amazon.com/compliance/eu-data-protection/ for additional information.
Where Does Spredfast Process and Store Data: Spredfast processes and stores data on the Amazon Web Services servers that it licenses, which are located in the United States, unless otherwise specifically agreed in writing by Spredfast and a Customer.
General Data Protection Regulation: Spredfast is fully compliant with the GDPR. In the event that any of our Customers request that we act as a Data Processor with respect to their Customer Data, we will also ask our Customers to be in full compliance and to provide us with directions to control such data which are in compliance with the GDPR. We will have a Data Protection Addendum in such cases which can be integrated into our Master Subscription and Services Agreement with such Customers.
How our Customers can be GDPR Compliant Using Spredfast Services:
- In most use cases, the personally identifiable data submitted by a Customer to our platform is minimal. It is typically the log in data submitted by a Customer's employees using the platform.
Whether the Customer's employees are in the EU or the US, Spredfast has appropriate security protocols in place. As described above, Spredfast is certified under the EU-US and Swiss Privacy Shields and can also enter into a Data Protection Addendum to agree to security measures and protocol with the Customer.
As with other vendors, the Customer will need to assess whether it needs consent from its employees submitting their personal data to the Spredfast platform. In many cases the Customer will already have consent.
- With respect to any personal data submitted to a social media network or any other third party site, these circumstances are typically limited but when there is a use case, the network or site, or the Customer, can obtain the necessary consent (or rely on another legal basis) to maintain GDPR compliance. In such cases, we can discuss any additional measures as may be prudent.
- Given the legal bases discussed above, even though Spredfast's AWS servers are in the US, GDPR compliance can be maintained with respect to the Spredfast Services.
Last Updated: May 2018