Data Protection Policy
Last modified: September 2023
About this document
This document is Mediafly’s Data Protection policy. It is intended to document the approach to data protection to which Mediafly adheres, including the collection, handling, and storage of customer, prospect, and employee information.
This Data Protection Policy helps to ensure that Mediafly:
- Complies with relevant data protection law;
- Adheres to commonly-held best practices; and
- Protects the rights of its customers, prospects, and employees
Scope
This Data Protection Policy applies to Mediafly, Inc. and its subsidiaries. The Policy extends to all collection, processing, handling, and storage of company, customer, prospect, and employee personal information.
This document is meant to supplement, and not replace, the Mediafly Information Security Policy document or any other policy, plan or presentation.
Data Processing Agreements
From time to time, our customers may request that we execute Data Processing Agreements, which generally require Mediafly to follow specific collection and processing instructions relating to personal information from our customers. Mediafly is generally willing to execute standard Data Processing Agreements; however, our DPOs are required to review and approve all Data Processing Agreements prior to execution. Mediafly has its own Data Processing Agreement, which is available for all customers.
Legal Compliance
Mediafly respects the privacy of our customers, prospects, and employees, and is committed to protecting the personal information we collect, process, and store about them. To that end, Mediafly endeavors to achieve compliance with applicable privacy-related laws and requirements, including U.S.-based law, U.S.-stage-based laws such as CCPA and CPRA, and the EU and UK versions of the General Data Protection Regulation (GDPR).
Mediafly collects and processes personal information from EU and UK customers, prospects, and employees pursuant to our legitimate business as explained more fully below. In addition, Mediafly obtains affirmative consent from its prospects to deliver targeted marketing material.
Mediafly provides notices prior to collecting data from users. Mediafly requires acceptance of our terms that clearly illustrate what data is collected and for what purpose.
Refer to Mediafly’s Website Privacy Statement and Application User Privacy Statement to learn more about the way in which we collect, process, handle, and store personal information from customers, prospects, and employees.
Personal Data Processing
Mediafly collects personal data on users of our applications.
For users of Mediafly Engagement, Mediafly collects the following personally identifiable information (PII):
- First name
- Last name
- IP address where content was viewed
- User-agent
For users of Value sales tools, Mediafly collects the following PII:
- First name
- Last name
- Email address
- Tool-specific inputs
For users of Value marketing tools: if the tool is configured to collect data, Mediafly collects the PII as configured by the tool. Most often this includes:
- First name
- Last name
- Email address
- Tool-specific inputs
Note that Value marketing tools only collect this PII if the tool was configured to do so. Otherwise, the tool will push this data immediately to the integrated Marketing Automation solution, and wipe itself clean of this data.
For users of iPresent, Mediafly collects the following PII:
- First name
- Last name
- Email address or other unique user identifier
- IP address where content was viewed
For users of Intelligence, Mediafly collects the following PII:
- First name
- Last name
- Email address
For users of Coach, Mediafly collects the following PII:
- Ingests recordings of conversations made by employees, and as such any PII discussed during those recordings is accessible in our system
- First name
- Last name
- Email address
Data Security Incidents
Mediafly has an established process to investigate and respond to data security incidents, such as server intrusion or information leakage. All employees are required to report to the DPO all actual or suspected data security incidents. We will follow the guidelines as outlined in the Incident Management section of the Mediafly Information Security Policy.
Subprocessors
Mediafly does share data with external parties, known as subprocessors. Mediafly uses the following subprocessors in the course of its business:
- Engagement, Value and iPresent:
- Amazon Web Services (AWS) for data storage, processing and distribution
- Fullstory for user insights
- Gainsights for customer success management software
- Hubspot for marketing automation
- SendGrid for email delivery service
- Zendesk for customer support and documentation
- Intelligence:
- Amazon Web Services (AWS) for data storage, processing and distribution
- Datadog for infrastructure monitoring
- Fullstory for user insights
- Gainsight for product usage statistics
- Hubspot for marketing automation
- Postmarkapp for email notifications
- Zendesk for customer support and documentation
- Coach:
- Amazon Web Services (AWS) for data storage, processing and distribution
- Fullstory for user insights
- Hubspot for marketing automation
- Sendgrid for email delivery service
- Zendesk for customer support and documentation
Data transferred to/from the subprocessors is through secure channels and follows Mediafly’s Information Security Policy.
Mediafly has a Data Processing Agreement that outlines specific requirements to which we adhere for each subprocessor.
Handling and Storage
- For Engagement360 customers:
- Currently, Mediafly offers the option for customers to store content and data in any AWS location. This includes:
- USA – N. Virginia
- USA – Ohio
- USA – N. California
- USA – Oregon
- APAC – Mumbai
- APAC – Seoul
- APAC – Singapore
- APAC – Sydney
- APAC – Tokyo
- Canada – Central
- EU – Frankfurt
- EU – Ireland
- EU – London
- EU – Paris
- South America – São Paulo
- Hosting in China is unsupported at this time
- Mediafly can currently offer hosting all storage of content and database in a non-USA and non-China region. E.g., all uploaded content and database data could be stored in EU (Frankfurt). Mediafly, however, currently requires content delivery, APIs, and processing and storage of reporting data to be performed in the US. It is on our roadmap to allow full verticalization of our technology offering, so that all components can reside in another region for specific customers.
- Currently, Mediafly offers the option for customers to store content and data in any AWS location. This includes:
- For Value360 customers:
- Currently, hosting is within the AWS US-East (Northern Virginia) data center. It is on our roadmap to support hosting in other AWS regions.
- For Coach360 customers:
- Currently, hosting is within the AWS US-East (Northern Virginia and Ohio) data centers. It is on our roadmap to support hosting in other AWS regions.
- For Intelligence360 customers:
- Currently, all hosting is within the AWS US-East (Ohio) data center for production environment, AWS US-West (Oregon) for sandbox. It is on our roadmap to support hosting in other AWS regions.
Security
All employees are required to abide by Mediafly’s Information Security, Physical Security, and Information Technology Policies. These policies further define the appropriate technical and organizational measures employed to secure data.
Encryption
Please refer to the Mediafly Information Security Policy.
Data Retention
Please refer to the Mediafly Information Security Policy.
Mediafly may retain personal data for the entire duration of our contractual agreement with our customers. On completion of our contractual agreement, Mediafly will erase all personal data of customers’ users within a reasonable period of time after contract termination (90 days or less), subject to applicable laws, upon request of the customer.
Should a customer require retention that extends beyond contractual length, Mediafly can assist with transferring user data back to our customer towards the end of the contract period.
For Coach360 customers:
We retain personal data we process on behalf of our customers for as long as needed to provide services to our customers, as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements. We may retain residual information in our backup and/or archival copies and may maintain data that is not personally identifiable information without any time limit.
In addition, we may delete any information provided by you or related to you, pursuant to our policies as then in effect.
Data Subject Rights
Depending on applicable law, data subjects may have the following rights:
- The right to be informed: Individuals have the right to be informed about the collection and use of their personal data.
- The right to access: Individuals have the right to access their personal data and supplementary information.
- The right to rectification: Individuals have the right to have inaccurate personal information corrected or completed.
- The right to erasure: Also known as “the right to be forgotten,” individuals have the right to request erasure of their personal data in discrete circumstances.
- The right to restrict processing: Individuals have the right to request the restriction or suppression of their personal data in discrete circumstances.
- The right to data portability: Individuals have the right to obtain in a structured, commonly used and machine readable form their personal data in discrete circumstances.
- The right to object: Individuals have the right to object to processing based on legitimate interests of the company or to direct marketing.
Mediafly will comply with the above requests, as determined by applicable law. To make a request, please contact us at dataprotection@www.mediafly.com.
Training
All Mediafly employees are required to receive training on this policy annually and certify that they understand and will comply with this Policy.
Violations
All reports of violations will be promptly and thoroughly investigated, and any violation of this policy may result in disciplinary action up to and including termination of employment or expulsion, as well as potential reporting to law enforcement and/or regulatory authorities.
How to contact us
If you have any questions regarding this Privacy Statement or our privacy-related practices, you may contact us using the information below:
150 N. Michigan Ave Ste 2000, Chicago, IL 60601 United States
Email: dataprotection@www.mediafly.com
Telephone: (312) 281-5175