Spredfast Privacy Center
Spredfast takes privacy and data protection seriously. We value your trust.
Introduction: We are certified under the EU-US Privacy Shield and Swiss-US Privacy Shield programs. We also have implemented measures to protect data on our platform under applicable rules in regulated industries. In addition, Spredfast has implemented data protection and privacy policies and procedures to comply with the General Data Protection Regulation (“GDPR”). and to assist our customers in complying.
See below for further information
Documents & Resources:
- Master Services Agreement (Post 11/1/18) (PDF)
- Standard Service Level Agreement (PDF)
- Data Protection Agreement (PDF)
- FAQs on our MSA and Data Protection FAQs
- Data Subject Request Form (PDF)
- Spredfast Security Standards (PDF)
- Master Subscription and Services Agreement (September 2017-November 2018) (PDF)
Summary & FAQs
Overview & Purposes for Data Collection: We collect information from our customers (“Customers”) who use our SaaS and related services (“Spredfast Services”) and visitors (together with Customers, “Visitors”) to provide our Spredfast Services, conduct our business, and operate the websites we use to run our business (our “Websites”).
We also process content on behalf of our Customers as their data processor. This content consists of content published or generated through the Spredfast Services, such as content Customers collect from, or contribute to, Facebook, Twitter or other social media networks. It is our Customers, and not Spredfast, who control how such information and content is collected and used. Spredfast processes (rather than controls) such content in accordance with instructions from Customers.
The Spredfast Services enable Customers to connect other accounts they may have on social media networks or apps, such as Facebook and Twitter. We are not in control of data and content on other websites, apps, networks, etc., even if it runs through our platform. Our Customers are required to abide by the applicable policies and requirements of social media networks or any other websites or apps used in connection with the Spredfast Services.
What Information Do We Collect? We collect information provided to us by individuals on our website as well as content and third party information provided to us or accessed by Customers through Spredfast Services. We also collect information from computers and internet devices primarily to enable us to provide and improve our services. We receive information from Customers and third parties. Customers provide us with data to enable them to log on and use Spredfast Services and content that we process through Spredfast Services.
It is important to understand that we do not own or operate our Customers’ websites or the social media networks or other websites used in connection with the Spredfast Services. When a Customer provides or accesses information through one of our Spredfast Services, we may receive information from the Customer input, in response to, or by way of interaction with, content generated by Customers using Spredfast Services as well as from the Customer’s website or the relevant social media site, including information about actions that the third party takes and may include additional information about the third party that was published on or provided to the Customer website or social media site.
How is Information Used? We use personally identifiable information only in ways that are relevant and compatible with the purposes for which that information was collected by our Customers, subsequently authorized by the individual user, or as otherwise provided in our Privacy Notice. We take all commercially reasonable steps to ensure that personally identifiable information collected is only used for its intended use and our Customers must do the same.
Customers may also use or transfer information collected from their use of Spredfast Services and may transfer such information from our systems to their systems. We do not control how Customers use the information collected by way of their use of Spredfast Services, but Customers must comply with all applicable laws and any applicable terms and conditions, such as terms and conditions of social media networks, when collecting and using such information.
What Does Spredfast do to Protect Data? Spredfast takes data protection very seriously and takes all reasonable measures to secure all data its Customers and partners submit to its platform. Spredfast has successfully passed a SOC 2 audit each year and employs industry best practices. For example, Spredfast trains its personnel on security and privacy measures, enforces controls on access to its systems and encrypts any sensitive data. Additional details about Spredfast’s security practices are available upon request.
What Role Do Social Media Networks or Other Third Parties Play in Data Protection? Data and content that comes from, or is provided to, social media networks or other third party sites will be subject to the data protection and privacy policies of those social media networks and third parties. Spredfast Services provide tools for Customers to access and interact with such sites, but since data and content contributed to or accessed from the Spredfast Services reside on those third party sites, they are also protected in accordance with their policies. This is also the reason Customers and Spredfast must agree to the applicable terms and conditions of such social media networks and third parties.
What Social Media Networks or Third Parties Are Involved & How Do Customers Know? Customers know which of the Spredfast tools interact with which social media networks or other sites because they are described in the product descriptions made accessible to Customers and/or they are apparent on the Customers’ dashboards. Customers can find the applicable privacy policies posted on each of those sites. If they don’t want’ to use any particular social media network or other site, Customers are free to make those choices.
How is Deletion and Correction of Personally Identifiable Information Handled? At the request of a Visitor, we will delete from our databases all personally identifiable information the Visitor provided to us. In addition, at the request of a Customer, we will delete from our active databases all Personally Identifiable Information collected through Spredfast Services collected by such Customer. However, we may not be able to delete information accessed or provided through Spredfast Services if we do not control such information, such as information that originated through a social media network and is consequently controlled by such social media network. In addition, we may retain such information to the extent required by law or document retention policies or if copies are kept in archival backups or in security logs, but in no event will we use or disclose such information, except as required by law.
International Data Protection: We are based in the US, but also have operations in the UK, Germany and Australia. We have certified to the Privacy Shields (defined below) and Spredfast has implemented data protection and privacy policies and procedures to comply with the GDPR, and to assist our customers in complying.
Where Does Spredfast Process and Store Data: Spredfast processes and stores data on the Amazon Web Services (“AWS”) servers that it licenses, which are located in the United States, unless otherwise specifically agreed in writing by Spredfast and a Customer. AWS maintains that they have certified to the Privacy Shields and will be GDPR compliant as well. See https://aws.amazon.com/compliance/eu-data-protection/ for additional information. For a full listing of Spredfast (and Lithium Technologies) data locations and subprocessors, please click here.
EU-US and Swiss-US Privacy Shield Frameworks: Spredfast has certified to the EU-US and Swiss-US Privacy Shield Frameworks (the “Privacy Shields”) as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries. We have certified that we adhere to the Privacy Shields Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement and Liability. If there is any conflict between the policies in this Privacy Notice and the Privacy Shields Principles, the Privacy Shields Principles shall govern. To learn more about the Privacy Shields programs, please visit https://www.privacyshield.gov/.
General Data Protection Regulation: Spredfast has implemented data protection and privacy policies and procedures to comply with the GDPR, and to assist our customers in complying. In the event that any of our Customers request that we act as a Data Processor with respect to their Customer Data, we will also ask our Customers to be in full compliance and to provide us with directions to control such data which are in compliance with the GDPR. We will have a Data Protection Agreement in such cases which can be integrated into our Master Services Agreement with such Customers.
How Spredfast Services can assist our customers with GDPR compliance:
- In most use cases, the personally identifiable data submitted by a Customer to our platform is minimal. It is typically the log in data submitted by a Customer's employees using the platform.
Whether the Customer's employees are in the EU or the US, Spredfast has appropriate security protocols in place. As described above, Spredfast is certified under the EU-US and Swiss Privacy Shields and will also enter into a Data Protection Agreement to agree to security measures and protocol with the Customer upon request.
As with other vendors, the Customer will need to assess whether it needs consent from its employees submitting their personal data to the Spredfast platform.
- With respect to any personal data that our Customers choose to submit to a social media network or any other third party site through Spredfast Services, Customer is responsible for obtaining any necessary consent or determining whether or not it can rely on another legal basis to process the data to comply with the GDPR.
Last Updated: November 2018