1 – Introduction
SharpSpring, Inc. (“SharpSpring,” “we,” “our”) has chosen to take part in the Privacy Shield, and to certify its adherence to the EU-U.S. Privacy Shield Framework and the Swiss-US Privacy Shield Framework, and their respective Principles, and Supplemental Principles (collectively, the “Principles”).
This Privacy Shield Policy (“Shield Policy”) outlines SharpSpring’s general policy and practices for implementing the Principles. It describes the types of Personal Data (defined below) that SharpSpring collects or receives from users, visitors or customers (other than SharpSpring’s employees) located in the European Union or European Economic Area (collectively “EEA”), the United Kingdom, or Switzerland, how the Personal Data is collected, used and retained, and the rights and choices granted to the Data Subjects to whom this Personal Data pertains, regarding access to Personal Data about them and the accuracy, retention, and protection of Personal Data about them.
2 – Scope and Application
By adopting this Shield Policy and registering with the US Department of Commerce Privacy Shield, SharpSpring agrees to subject its compliance to the regulatory enforcement of the Federal Trade Commission (“FTC”) or any other statutory body empowered to enforce compliance with the Principles. To learn more about the Privacy Shield program, please visit www.privacyshield.gov.
Evidence of SharpSpring’s participation can be found at: https://www.privacyshield.gov/list. SharpSpring will only display its EU-U.S. Privacy Shield certification marks or make other references to its compliance when it is in compliance with each Principle.
This Shield Policy supplements all other SharpSpring policies, practices, and procedures, including any general privacy notice, confidentiality agreement, customer privacy notice, or other similar agreement.
If there is any conflict between the terms of this Shield Policy and the Principles, with respect to the collection or processing of Personal Data of Data Subjects located in the EEA, the United Kingdom, or Switzerland by SharpSpring, the Principles shall govern.
SharpSpring will be and remain responsible under the Principles for any act or omission of any third party that it engages to process Personal Data on its behalf that are inconsistent with the Principles, unless SharpSpring proves that it is not responsible for the event giving rise to the damage.
3 – Definitions
“Applicable Data Protection Law” means all applicable data protection laws, rules and regulations and regulatory guidance, including any national implementing legislation relating to privacy and data protection, including but not limited to applicable United States federal and state data privacy and data breach notification laws, the European Union General Data Protection Regulation (“GDPR”), and the Swiss Federal Act on Data Protection.
“Data Subject” means an identified or identifiable natural person that is in the EEA, the United Kingdom, or Switzerland.
“EEA” means the European Union and the European Economic Area.
“Identifiable Natural Person” means a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Personal Data” means any information relating to a Data Subject that is recorded in any form.
“Sensitive Data” means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or concerning health, sex life or sexual orientation, or genetic or biometric data when used for the purpose of uniquely identifying a natural person.
4 – Collection of Personal Data for the Provision of Legal Services
SharpSpring provides a website where it describes its service. It also interacts with potential customers through its website or through industry events. It also provides services to paying customers who use the SharpSpring Service for their own marketing activities. These services are provided to natural persons and entities located throughout the world.
In the regular course of providing its services, SharpSpring collects, analyzes and reviews Personal Data of Data Subjects in the EEA, the United Kingdom, or Switzerland either as a data controller, for the purposes stated above, or as a processor, on behalf and at the request of its customers, as necessary to provide its Service.
The data collected includes the Personal Data of individuals who visit the SharpSpring service for general purposes, and of individuals who visit the SharpSpring website or that of customer of SHARPSPRING in order to understand the product or service that SharpSpring or its customer is offering.
SharpSpring collects this data in the regular course of the provision of legal services for one or more of the following reasons:
– The collection and processing are necessary for the purposes of the legitimate interests pursued by SharpSpring or Sharpspring’s customer or a third party as a data controller and such interests override the interests or fundamental rights and freedoms of the Data Subject.
– The data subject has explicitly consented to the collection of his/her personal data for specified purposes.
SharpSpring does not collect any Personal Data that might quality as “Sensitive Data.” SharpSpring will treat as Sensitive Data any Personal Data received from a third party where the third party identifies and treats it as sensitive.
In all cases above, SharpSpring collects this data in the regular course of providing services, and as needed for such services, SharpSpring transfers or provides this Personal Data only to its customers.
If SharpSpring directly collects Personal Data, it does so in accordance with this Shield Policy and the Principles. If a customer or a third-party transfers Personal Data to SharpSpring, SharpSpring ensures that such transfer is permissible under applicable law. These transfers are completed in accordance with applicable laws, and only to the extent that they are not prohibited or restricted by applicable law.
5 – Collection of Personal Data for Direct Marketing Purposes
SharpSpring also collect the names, contact information, and interests in specific issues of natural persons, such as potential customers, current customers, prospective customers, business contact and other third parties for direct marketing purposes or as part of the services that it provides to third parties.
SharpSpring collects some data as a data controller (directly or through third party service providers) in the regular course of its business for its legitimate interests.
In all cases above, SharpSpring collects this data in the regular course of its business operations, and SharpSpring transfers or provides this Personal Data to service providers, and other third parties as necessary to effect the contemplated marketing activities.
SharpSpring collects other data as a data controller (directly or through third party service providers) in the regular course of its business pursuant to the instructions of its customers.
If SharpSpring uses such Personal Data for its own direct marketing or e-marketing purposes, SharpSpring does so in compliance with the Applicable Data Protection Laws.
SharpSpring ensures that such uses and transfers are permissible under applicable law, that they are completed in accordance with Applicable Data Protection Laws, and only to the extent that they are not prohibited or restricted by Applicable Data Protection Laws.
6 – Compliance with the Principles
When collecting and processing Personal Data of Data Subjects as described above, SharpSpring complies with the following Principles
SharpSpring will provide clear and conspicuous notice to inform Data Subjects, of the types of Personal Data that it collects, receives, uses, processes, shares, discloses or retains, and the types of third parties to which SharpSpring may disclose Personal Data.
SharpSpring will inform customers, vendors and service providers that it participates in the Privacy Shield. Such notice may be provided in contracts, on its websites or otherwise.
When SharpSpring acts as a data controller, SharpSpring will offer Data Subjects the opportunity to choose (opt out) whether Personal Data about them is (i) to be disclosed to a third party or (ii) to be used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by the Data Subjects. It will do so in a clear and conspicuous manner and will provide a readily available mechanism to exercise choice.
For Sensitive Data, if any, is collected, SharpSpring will obtain affirmative express consent from Data Subjects if such information is to be used for a purpose other than those for which it was originally collected or subsequently authorized.
C. Onward Transfer
SharpSpring will not disclose Personal Data to third parties except as provided below, unless SharpSpring is required by law, or when compelled by tribunals, courts, or government agencies, or to meet national security or law enforcement requirements, and only in accordance with the Principles.
When transferring Personal Data to a third party acting as a controller, SharpSpring will comply with the Notice and Choice Principles. SharpSpring will enter into a contract with the third-party controller. The contract will provide that such data may only be processed for limited and specified purposes consistent with this Shield Notice and will require the recipient to provide the same level of protection as the Principles. The contract will require that the recipient notify SharpSpring if it determines that it can no longer meet this obligation and that it cease processing or takes other reasonable and appropriate steps to remediate.
When transferring Personal Data to a third party acting as an agent, SharpSpring will: (i) transfer the data only for limited and specified purposes; (ii) ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the Principles; (iii) take reasonable and appropriate steps to ensure that the agent effectively processes the Personal Data in a manner consistent with SharpSpring’s obligations under the Principles; (iv) require the agent to notify SharpSpring if it determines that it can no longer meet its obligation to provide the same level of protection as is required by the Principles; (v) upon notice, take reasonable and appropriate steps to stop and remediate unauthorized processing; and (vi) provide a copy of the relevant provisions of such contract to the US Department of Commerce upon request.
D. Data Security
SharpSpring will maintain appropriate physical, electronic, and administrative measures, including education and training of its personnel, designed to help safeguard and secure Personal Data.
Personal Data collected or displayed through a website, or that is transmitted between SharpSpring and its customers, will be protected in transit by standard encryption processes.
SharpSpring will maintain reasonable steps to protect the Personal Data from loss, misuse and unauthorized access, disclosure, alteration and destruction. However, SharpSpring cannot guarantee the security of information on or transmitted through the Internet.
E. Purpose Limitation
SharpSpring will collect and process only the Personal Data that is relevant for the purposes of processing. SharpSpring will not process Personal Data in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the Data Subject.
F. Data Integrity
SharpSpring will take reasonable steps to ensure that Personal Data is reliable for its intended use, accurate, complete, and current.
G. Data Retention
SharpSpring will retain Personal Data in a form identifying or making identifiable the Data Subject only for as long as it serves a purpose of processing identified in this Shield Notice.
SharpSpring will have the right to process Personal Data for longer periods of time for archiving in the public interest and for statistical analysis as provided in the Principles.
Upon proper proof of their identity, Data Subjects will have the right to obtain access to the Personal Data about them in SharpSpring’s custody or control. They will have the right to obtain the rectification of inaccurate data concerning them, and the right to have incomplete data completed, except where the burden or expense of providing access would be disproportionate to the risks to the privacy of the Data Subject or as otherwise restricted by law. Individuals may contact SharpSpring using the contact information provided in the “How to Contact Us” below.
SharpSpring will maintain a mechanism for assuring its compliance with the Principles. SharpSpring uses self-assessment. At least once a year, SharpSpring will certify that this Shield Policy is accurate, comprehensive, prominently displayed, implemented and in conformity with the Principles.
SharpSpring will monitor adherence to the Principles and address questions and concerns regarding their adherence. Personnel who violate SharpSpring’s privacy policies may be subject to a disciplinary process.
J. Recourse and Enforcement
Each Data Subject will have the right to raise a complaint by contacting SharpSpring using the contact information provided in the How to Contact Us below. SharpSpring will respond to a complaint within 45 days.
If an issue cannot be resolved by our internal dispute resolution mechanism, SharpSpring has chosen JAMS to be its independent recourse mechanism provider based in the U.S. for the Privacy Shield and the Swiss Federal Act of Data Protection, and SharpSpring agrees to be bound by the decision. Individuals may contact JAMS by phone: 800-352-5267 or by email: firstname.lastname@example.org. If SharpSpring or JAMS determines that SharpSpring did not comply with this Policy, SharpSpring will take appropriate steps to address any adverse effects and to promote future compliance.
Please contact us as stated in the “How to Contact Us Section” to be directed to the relevant SA contacts.
Data subjects also have access to a binding arbitration option in order to address residual complaints not resolved by any other means, as set forth in the Principles.
If SharpSpring becomes subject to a U.S. court order or other order based on non-compliance with the Principles, SharpSpring shall make public any relevant sanctions or other findings.
7 – Limitation of the Application
SharpSpring’s adherence to the Principles and this Shield Policy will be limited as permitted by the Principles: (a) to the extent necessary to meet national security, public interest, or law enforcement requirements; or (b) by statute, government regulation, or case law that creates conflicting obligations or explicit authorizations. However, in exercising such authorization, SharpSpring’s non-adherence will be limited to the extent necessary to meet the overriding legitimate interests of the Data Subjects. Where the option is allowable under the Principles and/or U.S. law, SharpSpring will opt for the higher protection where reasonably possible.
8 – Adherence to the Supplemental Principles
SharpSpring adheres to the Supplemental Principles, as applicable, as follows.
A. Sensitive Data
In the regular course of its business, from time to time, SharpSpring will not collect Sensitive Data unless the Sensitive Data is manifestly made public by the Data Subject.
B. Journalistic Exceptions.
SharpSpring does not engage in journalistic activity other than though its newsletters and blogs.
C. Secondary Liability.
In limited circumstances, SharpSpring will, on behalf of others, transmit, route, switch or cache information such that the secondary liability exception applies.
D. Performing Due Diligence and Conducting Audits.
SharpSpring does not perform audits or conduct due diligence for itself or on behalf of its customers.
E. Supervisory Authorities.
SharpSpring commits to cooperate with the EEA Supervisory Authorities, the United Kingdom Supervisory Authorities, and the Swiss Data Protection Authority.
SharpSpring will apply for and maintain its Privacy Shield certification in accordance with the applicable U.S. Department of Commerce’s protocol.
SharpSpring will verify its compliance with the Principles through self-assessment. SharpSpring will provide Privacy Shield training to its personnel who may have access to Personal Data and will retain records of its implementation of the Principles and make them available as required.
SharpSpring will provide adequate mechanisms for Data Subject access to the Personal Data the SharpSpring holds about them.
I. Human Resources Data.
SharpSpring does not collect Human Resource Data for individuals who are in the European Union or European Economic Area.
J. Obligatory Contracts for Onward Transfers.
Except as otherwise stated in this Shield Notice, and as permitted by the Principles, SharpSpring will enter into written contracts with any third party to which it intends to transfer Personal Data before transferring such data. The contract will specify that the Personal Data may only be processed for limited and specified purposes consistent with the Shield Notice and other notices provided to the Data Subject and that the recipient will provide the same level of protection as stated in the Principles.
K. Dispute Resolution and Enforcement.
SharpSpring will meet its obligations for dispute resolution and enforcement through enrollment with JAMS for alternative dispute resolution and agreeing to cooperate with the FTC and the U.S. Department of Commerce. SharpSpring will cooperate with any EEA Supervisory Authority, United Kingdom Supervisory Authority, or the Swiss Data Protection Authority, as may be necessary. If SharpSpring is subject to any enforcement effort, it will cooperate quickly and fully.
Individuals are encouraged to raise any complaint they may have with SharpSpring by sending it to the attention of email@example.com before proceeding to alternative dispute resolution. SharpSpring will respond to a Data Subject promptly and in any case within 45 days from receipt of a complaint.
L. Choice; Timing of Opt-Out.
SharpSpring will provide data subjects with means to exercise choice and opt-out of the collection of the Personal Data as provided by applicable law.
M. Travel Information.
SharpSpring does not have access to travel information.
N. Pharmaceutical and Medical Products.
SharpSpring does not have access to pharmaceutical and medical products information.
O. Public Record and Publicly Available Data.
SharpSpring will apply the Privacy Shield Principles of Security, Data Integrity and Purpose Limitation, and Recourse, Enforcement and Liability, to Personal Data collected from publicly available sources and public records.
P. Access Requests by Public Authorities.
SharpSpring will comply with lawful requests for data from law enforcement and national security agencies.
9 – Information Subject to Other Policies
SharpSpring is committed to following the Principles for all Personal Data of Data Subjects within the scope of the Privacy Shield. Information obtained from or relating to visitors and customers or former customers is further subject to the terms of any privacy notice to SharpSpring users and applicable law.
10 – Amendment
SharpSpring may amend this Policy from time to time by posting a revised policy at https://www.sharpspring.com/legal/us-eu-privacy-notice/ or on any website that replaces this site. SharpSpring will only amend this Shield Policy in a manner consistent with the Principles.
11 – Questions and Comments
Any questions, inquiries, or complaints regarding this Shield Policy or SharpSpring’s participation and compliance with the Privacy Shield may be directed to:
550 SW 2nd Avenue
Gainesville, FL 32601
Complaints about SharpSpring’s adherence to the Principles may also be directed to the FTC.