GDPR ADDENDUM
Last modified: September 14, 2023
This GDPR Addendum (“GDPR Addendum”) supplements the information contained in the Constant Contact Privacy Notice (the “Privacy Notice”). The purpose of this GDPR Addendum is to comply with the European Union’s General Data Protection Regulation 2016/679, or GDPR in connection with the Processing of Personal Data under this GDPR Addendum. If you are a resident of the European Economic Area ("EEA") or the United Kingdom (UK), you may have additional rights under the UK GDPR or the Swiss Data Protection Agreement with respect to your Personal Data, as outlined below. Capitalized terms used but not defined in this GDPR Addendum have the definitions assigned to them in the Privacy Notice.
In this GDPR Addendum, we use the terms "Personal Data", “Data Controller” and "Processing" as they are defined in the GDPR. Generally, "Personal Data" refers to information that can be used to individually identify a person, “Data Controller” refers to the legal entity which determines the purpose and means of the Processing of Personal Data, and "Processing" refers to actions that can be performed in connection with data such as collection, use, storage and disclosure.
For purposes of the GDPR, Constant Contact acts as the Data Controller of your Personal Data that you provide to us. However, we also process certain Personal Data of your customers or contacts in connection with our provision of services to you. In these cases, we process the Personal Data of your customers and contacts on your behalf. If we receive inquiries about Processing Personal Data from your customers or contacts, we will direct such inquiries to you as the Data Controller of such Personal Data.
Legal Basis for Processing Personal Data
Personal Data can only be Processed under the GDPR if there is at least one lawful basis to do so. We rely on the following legal grounds for Processing your information:
Legitimate Interest
Providing you with information about Constant Contact Services, and offering and improving our Services.
Facilitating your movement through the Constant Contact websites and applications and your use of our Services.
Providing you with requested information or technical, product and other support.
Measuring and understanding the effectiveness of the content we provide to you and others.
Diagnosing problems with our Services in order to conduct troubleshooting.
Conducting data analysis, testing, research, and statistical and survey analysis.
Conducting our security and compliance programs.
Communicating with customers and website visitors.
Contractual Necessity
Providing the requested Services to you and ensuring the proper functioning of our Services.
- If you do not provide the contractually required information, you may not be able to use our Services. For example, we need your contact information to create an account.
Consent
Enhancing our advertising and marketing efforts to improve our websites by monitoring and analyzing trends, usage and activity in connection with our Services.
Providing direct marketing communication.
Targeting prospective customers with our Services.
Assisting us in offering you a personalized experience or otherwise tailoring our websites, applications, Service offerings to you and to ensure content from our websites and applications is presented in the most effective manner for you and your device.
Sharing with Service Providers and Vendors
We share Personal Data with vendors, service providers and agents who work on our behalf and provide us with services related to the purposes described in our Privacy Notice. The categories of service providers we share your Personal Data with include:
Cloud hosting services;
Analytics services;
Marketing and advertising services;
Advertising networks;
Customer relationship management services;
Customer support services;
Software services;
E-commerce services;
Professional services;
Fraud detection and deterrence services;
Storage services;
Search engine optimization services; and
Information technology services.
For purposes of the GDPR, we enter into contracts with such service providers that prohibit them from using any of your Personal Data for any purpose beyond the purpose for which it was shared.
Legal Process
If legally required to do so, or if we have a good faith belief that such disclosure is reasonably necessary, we may disclose your Personal Data to courts of law, public authorities and other relevant third parties (such as internet service providers), to meet national security or law enforcement requirements, conduct an investigation, respond to a civil or criminal or court order, to bring legal action, prevent harm to others or pursue other relief.
This disclosure can include transferring your information to the United States and other countries outside the EEA and the UK.
Cookies, tracking technologies and online advertising
We use Tracking Technologies in the course of our business. Information about the technologies we use, why we use them (for example, in connection with online advertising), and how you can control them can be found in our Cookie Notice.
You can select your cookie preferences upon your first visit to our site. If you choose to change your preferences, you may do so at any time by clicking the “Cookie Preferences” link in the footer of our website homepage.
When you opt out of cookies, you will be opted out of all non-required cookies. You cannot opt out of required cookies because these cookies are required to help our websites work correctly. For example, these cookies allow you to navigate our website and use essential features, including secure areas and shopping baskets.
Our service providers and vendors may also use Tracking Technologies in order to provide you advertising based upon your browsing activities and interests. If you wish to opt out of interest-based advertising, click here and click here to opt out on your mobile device. Please note you will continue to receive generic ads.
Data Transfers
In order for us to provide the Services to you, your Personal Data will be transferred to and stored in the United States, where Constant Contact is located. Your Personal Data is also processed by staff operating outside the EEA, such as in India and the Philippines, who work for us or for one of our suppliers or service providers. We will take all steps reasonably necessary to ensure that your Personal Data is treated securely and in accordance with this GDPR Addendum.
All transfers of Personal Data (i) within the Constant Contact corporate family, as further described in the Privacy Notice, and (ii) to third parties, will be under the EU-U.S. Data Privacy Framework pursuant to the European Commission’s adequacy decision, dated July 10, 2023, and to the extent the EU-U.S. Data Privacy Framework is deemed not to be a valid transfer mechanism, then under the European Commission’s model contracts for the transfer of Personal Data to third countries (i.e., the standard contractual clauses), pursuant to European Commission decision 2021/914, dated 4 June 2021, and as applicable under the UK Extension to the EU-U.S. Data Privacy Framework, and to the extent the UK Extension to the EU-U.S. Data Privacy Framework is deemed not to be a valid transfer mechanism, then the relevant UK Addendum to the clauses.
Constant Contact (including SharpSpring Technologies, Inc.) participates in and has certified its compliance with the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework and the Swiss-U.S. Data Privacy Framework (together, the “Frameworks” or the “Privacy Frameworks”). Constant Contact (including SharpSpring Technologies, Inc.) is committed to subjecting all Personal Data received from the EEA, UK and Switzerland, respectively, in accordance with each Privacy Frameworks, and to the Frameworks’ applicable Principles. To learn more about the Privacy Frameworks, and to view our certifications, visit the U.S. Department of Commerce at https://www.dataprivacyframework.gov/s/participant-search.
Constant Contact is responsible for the Processing of Personal Data it receives, under each Privacy Framework, and subsequently transfers to a third party acting as an agent on its behalf. Constant Contact complies with the Privacy Framework Principles for all onward transfers of Personal Data from the EEA, UK and Switzerland, including the onward transfer liability provisions.
With respect to Personal Data received or transferred pursuant to the Privacy Frameworks, Constant Contact is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, we may be required to disclose Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.
Under certain conditions, as more fully described on the Privacy Framework website, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted.
You can contact us at the address listed below to obtain a copy of the data transfer agreement or more information regarding the relevant safeguards we have put in place. For more information about the Privacy Frameworks, please visit the U.S. Department of Commerce’s Privacy Framework website.
You may click on the seal to check Constant Contact’s privacy verification status.
Your Privacy Rights
You have certain rights with respect to your Personal Data, including those set forth below. For more information about these rights, or to submit a request, please email privacy@constantcontact.com. Please note that in some circumstances, we may not be able to fully comply with your request, such as if it is frivolous or extremely impractical, if it jeopardizes the rights of others, or if it is not required by law, but in those circumstances, we will still respond to notify you of such a decision. In some cases, we may need you to provide us with additional information to verify your identity and the nature of your request.
Privacy Right | Summary |
Access | You can request more information about the Personal Data we hold about you and request a copy of such Personal Data. |
Rectification | If you believe that any Personal Data we are holding about you is incorrect or incomplete, you can request that we correct or supplement such data. |
Erasure | You can request that we erase some or all of your Personal Data from our systems. |
Withdrawal of Consent | If we are Processing your Personal Data based on your consent (as indicated at the time of collection of such data), you have the right to withdraw your consent at any time. |
Portability | You can ask for a copy of your Personal Data in a machine-readable format. You can also request that we transmit the data to another Data Controller where technically feasible. |
Objection | You can contact us to let us know that you object to the further use or disclosure of your Personal Data for certain purposes, such as for direct marketing purposes. |
Restriction of Processing | You can ask us to restrict further Processing of your Personal Data. |
Right to File Complaint | You have the right to lodge a complaint about Constant Contact's practices with respect to your Personal Data with the supervisory authority of your country or EU member state. |
GDPR Representative
We have appointed IT Governance Europe Limited to act as our EU representative, and GRCI Law Limited to act as our UK representative. If you wish to exercise your rights under the GDPRor UK GDPR, or have any queries in relation to your rights or general privacy matters, please email our EU representative at eurep@itgovernance.eu, or our UK representative at ukrep@grcilaw.com. Please ensure to include our company name in any correspondence you send to our representatives.
Contact Us and Complaints
If you have any questions about this GDPR Addendum or our data handling practices, or you wish to make a complaint, you may contact us at privacy@constantcontact.com or by regular mail at:
Legal and Compliance Department
Constant Contact, Inc.
1601 Trapelo Road
Waltham, MA 02451
U.S.A.