Legal

Terms of Use
GDPR
Privacy Policy
DPA
MSA
SLA
Data Privacy Policy
Services Terms
Subprocessors

Data Protection Policy

Last modified: October 2025

About this document

This document is Mediafly’s Data Protection policy. It is intended to document the approach to data protection to which Mediafly adheres, including the collection, handling, and storage of customer, prospect, and employee information.

This Data Protection Policy helps to ensure that Mediafly:

  • Complies with relevant data protection law;
  • Adheres to commonly-held best practices; and
  • Protects the rights of its customers, prospects, and employees

Scope

This Data Protection Policy applies to Mediafly, Inc. and its subsidiaries. The Policy extends to all collection, processing, handling, and storage of company, customer, prospect, and employee personal information.

This document is meant to supplement, and not replace, the Mediafly Information Security Policy document or any other policy, plan or presentation.

Data Processing Agreements

From time to time, our customers may request that we execute Data Processing Agreements, which generally require Mediafly to follow specific collection and processing instructions relating to personal information from our customers. Mediafly is generally willing to execute standard Data Processing Agreements; however, our DPOs are required to review and approve all Data Processing Agreements prior to execution. Mediafly has its own Data Processing Agreement, which is available for all customers.

Legal Compliance

Mediafly respects the privacy of our customers, prospects, and employees, and is committed to protecting the personal information we collect, process, and store about them. To that end, Mediafly endeavors to achieve compliance with applicable privacy-related laws and requirements, including U.S.-based law, U.S.-stage-based laws such as CCPA and CPRA, and the EU and UK versions of the General Data Protection Regulation (GDPR).

Mediafly collects and processes personal information from EU and UK customers, prospects, and employees pursuant to our legitimate business as explained more fully below. In addition, Mediafly obtains affirmative consent from its prospects to deliver targeted marketing material.

Mediafly provides notices prior to collecting data from users. Mediafly requires acceptance of our terms that clearly illustrate what data is collected and for what purpose.

Refer to Mediafly’s Website Privacy Statement and Application User Privacy Statement to learn more about the way in which we collect, process, handle, and store personal information from customers, prospects, and employees.

Personal Data Processing

Mediafly collects personal data on users of our applications.

For users of Mediafly Engagement, Mediafly collects the following personally identifiable information (PII):

  • First name
  • Last name
  • Email address
  • IP address where content was viewed
  • User-agent

For users of Value sales tools, Mediafly collects the following PII:

  • First name
  • Last name
  • Email address
  • Tool-specific inputs

For users of Value marketing tools: if the tool is configured to collect data, Mediafly collects the PII as configured by the tool. Most often this includes:

  • First name
  • Last name
  • Email address
  • Tool-specific inputs

Note that Value marketing tools only collect this PII if the tool was configured to do so. Otherwise, the tool will push this data immediately to the integrated Marketing Automation solution, and wipe itself clean of this data.

For users of Creative Services, Mediafly collects the following PII:

  • First name
  • Last name
  • Email address or other unique user identifier
  • IP address where content was viewed

For users of Intelligence, Mediafly collects the following PII:

  • First name
  • Last name
  • Email address

For users of Coach, Mediafly collects the following PII:

  • Ingests recordings of conversations made by employees, and as such any PII discussed during those recordings is accessible in our system
  • First name
  • Last name
  • Email address

Data Security Incidents

Mediafly has an established process to investigate and respond to data security incidents, such as server intrusion or information leakage. All employees are required to report to the DPO all actual or suspected data security incidents. We will follow the guidelines as outlined in the Incident Management section of the Mediafly Information Security Policy.

Subprocessors

Mediafly shares data with external parties, known as subprocessors. A full list the subprocessors that Mediafly uses in the course of its business can be found at www.mediafly.com/legal/subprocessors.

Data transferred to/from the subprocessors is through secure channels and follows Mediafly’s Information Security Policy.

Mediafly has a Data Processing Agreement that outlines specific requirements to which we adhere for each subprocessor.

Handling and Storage

  • For Engagement customers:
    • Currently, Mediafly offers the option for customers to store content and data in any AWS location. This includes:
      • USA – N. Virginia
      • USA – Ohio
      • USA – N. California
      • USA – Oregon
      • APAC – Mumbai
      • APAC – Seoul
      • APAC – Singapore
      • APAC – Sydney
      • APAC – Tokyo
      • Canada – Central
      • EU – Frankfurt
      • EU – Ireland
      • EU – London
      • EU – Paris
      • South America – São Paulo
    • Hosting in China is unsupported at this time
    • Mediafly can currently offer hosting all storage of content and database in a non-USA and non-China region. E.g., all uploaded content and database data could be stored in EU (Frankfurt). Mediafly, however, currently requires content delivery, APIs, processing and storage of reporting data, and AI Features to be performed in the US. It is on our roadmap to allow full verticalization of our technology offering, so that all components can reside in another region for specific customers.
  • For Value customers:
    • Currently, hosting is within the AWS US-East (Northern Virginia) data center. It is on our roadmap to support hosting in other AWS regions.
  • For Coach customers:
    • Currently, hosting is within the AWS US-East (Northern Virginia and Ohio) data centers. It is on our roadmap to support hosting in other AWS regions.
  • For Intelligence customers:
    • Currently, all hosting is within the AWS US-East (Ohio) data center for production environment, AWS US-West (Oregon) for sandbox. It is on our roadmap to support hosting in other AWS regions.

Security

All employees are required to abide by Mediafly’s Information Security, Physical Security, and Information Technology Policies. These policies further define the appropriate technical and organizational measures employed to secure data. 

Encryption

Please refer to the Mediafly Information Security Policy.

Data Retention

Please refer to the Mediafly Information Security Policy for more details.

Mediafly may retain personal data for the entire duration of our contractual agreement with our customers. On completion of our contractual agreement, Mediafly will erase all personal data of customers’ users within a reasonable period of time after contract termination (90 days or less), subject to applicable laws, upon request of the customer.

Should a customer require retention that extends beyond contractual length, Mediafly can assist with transferring user data back to our customer towards the end of the contract period.

For Coach customers:

We retain personal data we process on behalf of our customers for as long as needed to provide services to our customers, as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements. We may retain residual information in our backup and/or archival copies and may maintain data that is not personally identifiable information without any time limit.

In addition, we may delete any information provided by you or related to you, pursuant to our policies as then in effect.

Data Subject Rights

Depending on applicable law, data subjects may have the following rights:

  • The right to be informed: Individuals have the right to be informed about the collection and use of their personal data.
  • The right to access: Individuals have the right to access their personal data and supplementary information.
  • The right to rectification: Individuals have the right to have inaccurate personal information corrected or completed.
  • The right to erasure: Also known as “the right to be forgotten,” individuals have the right to request erasure of their personal data in discrete circumstances.
  • The right to restrict processing: Individuals have the right to request the restriction or suppression of their personal data in discrete circumstances.
  • The right to data portability: Individuals have the right to obtain in a structured, commonly used and machine readable form their personal data in discrete circumstances.
  • The right to object: Individuals have the right to object to processing based on legitimate interests of the company or to direct marketing.

Mediafly will comply with the above requests, as determined by applicable law. To make a request, please contact us at dataprotection@mediafly.com.

Training

All Mediafly employees are required to receive training on this policy annually and certify that they understand and will comply with this Policy.

Violations

All reports of violations will be promptly and thoroughly investigated, and any violation of this policy may result in disciplinary action up to and including termination of employment or expulsion, as well as potential reporting to law enforcement and/or regulatory authorities.

How to contact us

If you have any questions regarding this Privacy Statement or our privacy-related practices, you may contact us using the information below:

Mediafly, Inc.
P.O. Box #25102
Chicago, IL 60625
Email: dataprotection@mediafly.com
Telephone: (312) 281-5175