Last updated: Sep 25, 2023
Syndigo LLC (“Syndigo,” “we,” “us,” “our”) takes the protection of personal data (“Personal Data”) very seriously. This Privacy Notice (the “Notice”) addresses individuals whose Personal Data we receive in our web-based software application, Content Experience Suite (“CES”) as a service provider. In particular, we may receive Personal Data of customer-appointed key contacts associated with products that are syndicated with CES, as well as web analytics data relating to website visitors of our customers using Syndigo’s Enhanced Content application or other analytics features offered by Syndigo.
In operating CES and in the context of this Notice, we act as a service provider. This means that our access to the Personal Data within CES for the purposes described in the Notice is limited to the services our customers have asked for. Please read this Notice to learn more about how we collect, use, and otherwise process your Personal Data within CES as a service provider.
This Notice does not apply to Personal Data we collect by other means, such as Personal Data that we receive directly through Syndigo’s own publicly accessible website (syndigo.com), as part of our sales and marketing efforts, and the Personal Data of our employees. This Notice also does not apply to the Personal Data we collect from our customers’ users of CES for customer support and product improvement purposes, for which we act as a “data controller.” The Personal Data submitted to us as a data controller within CES is governed by the Syndigo Privacy Notice (available at https://syndigo.com/legal/privacy-policy/) and applicable laws.
In the context of this Notice, Syndigo acts as a “data processor” or “service provider” for the Personal Data we process for our customers through CES. This means that our customers determine the type of Personal Data they provide to Syndigo to process on their behalf. We typically have no direct relationship with the individuals whose Personal Data we receive from our customers.
Within the scope of this Notice, we process Personal Data based on the documented instructions of our customers. To learn about our customers’ lawful bases for processing your Personal Data, please read their privacy notices.
We may receive your Personal Data when:
We may process the following types of Personal Data:
We may process your Personal Data for the purpose of:
We keep Personal Data for as long as instructed by our respective customer. Such a customer typically acts as a data controller.
We may share Personal Data with our subsidiaries and affiliates, and with our service providers who are sub-processors (listed here).
Our service providers process Personal Data on our behalf and agree to use the Personal Data only to aid us in operating CES or as required by law. Our service providers may provide:
Some of these third parties may be inside or outside of the United States. However, before transferring your Personal Data to these third parties, we will either ask for your explicit consent or require the third party to maintain at least the same level of protection and security for your Personal Data that we do. We remain responsible for Personal Data that we transfer to third parties within the scope of our Data Privacy Framework certification. However, we are not responsible for any unauthorized or improper processing of your Personal Data if we can prove that we are not in any way responsible for the event giving rise to the damage.
In addition, some of these third parties may be outside of the European Economic Area, Switzerland, and the United Kingdom. In some cases, the European Commission or the relevant authorities of your country may not have determined that the countries’ data protection laws provide a level of protection equivalent to European Union law. We will only transfer your Personal Data to third parties in these countries when proper safeguards are in place. Such safeguards include the 2021 European Commission approved standard contractual data protection clauses, Binding Corporate Rules for Processors, and appropriate technical, contractual, and organizational supplemental measures to ensure the safety of the Personal Data.
Depending on the circumstances, we may need to disclose your Personal Data if the law requires it, or if we have a good-faith belief that we need to do so to comply with official investigations or legal proceedings (where initiated by government officials or private parties). We may also disclose your Personal Data if we sell or transfer all or some of our company’s business interests, assets, or both, or in connection with a corporate restructuring. Finally, we may disclose your Personal Data to our subsidiaries or affiliates for business purposes, if necessary and as described in the section above.
We reserve the right to use aggregated, anonymous data about individuals whose Personal Data we process in our CES application for any legal business purpose. Such data does not include any Personal Data. The purposes may include analyzing usage trends or seeking compatible advertisers, sponsors, and customers.
In the unlikely event that we must disclose your Personal Data to comply with official investigations or legal processing started by governmental and/or law enforcement officials, we may not be able to ensure that such recipients will maintain the privacy and security of your Personal Data.
Syndigo has implemented and will maintain technical, administrative, and physical measures that are reasonably designed to help protect Personal Data from unauthorized processing such as unauthorized access, disclosure, alteration, or destruction.
If we process your Personal Data, you may have the right to request access to (or to update, correct, or delete) such Personal Data. You may also have the right to ask that we limit our processing of such Personal Data, as well as the right to object to our processing of such Personal Data. You may also have the right to data portability.
If we have received your Personal Data in reliance on our Data Privacy Framework certification, you may also have the right to opt out of having your Personal Data shared with third parties and to revoke your consent to our sharing your Personal Data with third parties. You may also have the right to opt out if your Personal Data is used for any purpose that is materially different from the purpose(s) for which it was originally collected or which you originally authorized.
Please note that requests should generally be sent directly to the Syndigo customer who provided your Personal Data to us. Syndigo has limited rights to access and process the Personal Data our customers submit to us or instruct us to process. If sending the request directly to the Syndigo customer is not possible for any reason and you decide to contact us with such a request, please provide the name of the Syndigo customer who submitted your Personal Data to us. We will forward your request to that customer and provide any needed assistance as they respond to your request.
For Personal Data in the scope of this Notice, Syndigo complies with the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”) as set forth by the U.S. Department of Commerce.
Syndigo has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (“EU-U.S. DPF Principles”) with regard to the processing of Personal Data received from the European Union in reliance on the EU-U.S. DPF. and personal data from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Syndigo has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (“Swiss-U.S. DPF Principles”) with regard to the processing of Personal Data received from Switzerland in reliance on the Swiss-U.S. DPF.
If there is any conflict between the terms in this Notice and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern.
To learn more about the Data Privacy Framework Principles, and to view our certification information, please visit https://www.dataprivacyframework.gov and https://www.dataprivacyframework.gov/s/participant-search, respectively.
Syndigo is subject to the investigatory and enforcement powers of the United States Federal Trade Commission.
Syndigo is a member of the VeraSafe Privacy Program. This means that VeraSafe has assessed our data governance and data security (regarding Personal Data processed within the scope of this Privacy Notice) for compliance with the VeraSafe Privacy Program Certification Criteria. The certification criteria require that participants maintain a high standard for data privacy. Participants must also implement specific best practices regarding notice, onward transfer, choice, access, data security, data quality, recourse, and enforcement.
Where a privacy complaint or dispute cannot be resolved through our internal processes, we have agreed to participate in the VeraSafe Data Privacy Framework Dispute Resolution Procedure. Subject to the terms of the VeraSafe Data Privacy Framework Dispute Resolution Procedure, VeraSafe will provide appropriate recourse free of charge to you. To file a complaint with VeraSafe and participate in the VeraSafe Data Privacy Framework Dispute Resolution Procedure, please submit the required information through the web form located here: https://www.verasafe.com/privacy-services/dispute-resolution/submit-dispute/.
If a complaint or dispute related to Personal Data cannot be resolved through Syndigo’s internal process, in addition to the VeraSafe Dispute Resolution Procedure, Syndigo has agreed to cooperate with the EU data protection authorities and the Swiss Federal Data Protection and Information Commissioner, and to take part in the dispute resolution procedures of the panel established by such data protection authorities.
If your dispute or complaint cannot be resolved by us, nor through the dispute resolution program established by VeraSafe, you may have the right to require that we enter binding arbitration with you under the Data Privacy Framework’s “Recourse, Enforcement and Liability Principle” and Annex I of the Data Privacy Framework.
If we process your Personal Data and you are not satisfied with how we process your Personal Data, you may also have the right to lodge a complaint with a data protection regulator. For example, under the GDPR you can file a complaint with a data protection authority in one or more of the European Union Member States. In particular, you may have the right to file a complaint with the data protection authority in the European Union Member State where you reside, work, or where you believe that there has been an infringement of the GDPR.
Our services are not meant for anyone under the age of 18 and we do not knowingly collect Personal Data from minors. If we learn that we process Personal Data from a child under the age of 13, we will delete the Personal Data we have stored as quickly as possible. If you believe that we might have any Personal Data from or about a child under the age of 13, please contact us or the customer that has provided the child’s information to us.
If we make any material change to this Notice, we will post the revised Notice to this web page. We will also update the “Effective” date. By continuing to use CES after we post any of these changes, you accept the modified Notice.
If you have any questions about this Notice or our processing of your Personal Data, please write to our Privacy Team by email at email@example.com or by postal mail at:
Attn: Debra Osborn, Senior Counsel
141 W. Jackson Blvd., Ste 1220
Chicago, IL 60604
Please allow up to four weeks for us to reply.
We have appointed VeraSafe as our representative in the EU for data protection matters. While you may also contact us, VeraSafe can be contacted on matters related to the processing of Personal Data. To contact VeraSafe, please use this contact form: https://verasafe.com/public-resources/contact-data-protection-representative or via telephone at: +420 228 881 031.
Alternatively, VeraSafe can be contacted at:
VeraSafe Ireland Ltd
Unit 3D North Point House
North Point Business Park
New Mallow Road
United Kingdom Representative
We have appointed VeraSafe as our representative in the United Kingdom for data protection matters. While you may also contact us, VeraSafe can be contacted on matters related to the processing of Personal Data. To contact VeraSafe, please use this contact form: https://verasafe.com/public-resources/contact-data-protection-representative or via telephone at: +44 (20) 4532 2003.
Alternatively, VeraSafe can be contacted at:
VeraSafe United Kingdom Ltd
37 Albert Embankment
London SE1 7TL
We have appointed VeraSafe as our Data Protection Officer (“DPO”). While you may contact us directly, VeraSafe can also be contacted on matters related to the processing of Personal Data. VeraSafe’s contact details are:
100 M Street S.E., Suite 600
Washington, D.C. 2000