General Data Protection Regulation

 

The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy, and to reshape the way organizations across the region approach data privacy. 

 

As the General Data Protection Regulation (“GDPR”) has come into force, Deft has been GDPR competent since May 2018. 

 

Deft provides a number of services to you and our other customers. Our provision of services to you may or may not qualify as ‘processing’ of personal data as that term is used in the GDPR, and the obligations that are incumbent upon a data processor of personal data then may not apply to Deft with respect to any personal data that you or your customers transmit using our services. As always, we encourage you to take active measures to protect the security of any sensitive data that you send using our services.

 

As part of the process to install, provide and maintain your services with Deft, we do from time to time, request contact information for billing and technical contacts.  This contact information constitutes personal data as defined by the GDPR (“Business Contact Personal Data”).   When you provide us with Business Contact Personal Data, we are the data controller of Business Contact Personal Data processed under each Agreement. You warrant that you have obtained all necessary consents from the data subject concerned for the transfer of Business Contact Personal Data to us. 

 

We will process Business Contact Personal Data as is necessary to maintain our business relationship with you and to meet our obligations to you under each Agreement in accordance with the terms of the data protection provisions contained in your Agreement. As part of these provisions, we ask that you provide the link to our privacy notice to each of data subjects for whom you have provided Business Contact Personal Data to Deft. 

 

I. Scope

Please read this document carefully. This GDPR Privacy Policy applies to the Processing of Personal Data by Deft for Customers and Data located within the EEA, including in the UK, in our role as a Controller, or as otherwise covered by the GDPR, when individuals:

 

• visit or use our Websites;
• interact with us on behalf of a Customer in connection with the provision of our Services;
• interact with us on behalf of a Service Provider in connection with the products and services our Service Provider provides to us;
• interact with us on behalf of a business partner in connection with our relationship with the business partner;
• apply to work with us;
• receive marketing communications from us; and/or
• interact with us by registering for, attending and/or otherwise taking part in our trade events, webinars, or conferences or communicate with us via email, phone, or in-person interactions.

This GDPR Privacy Policy does not apply to any Personal Data Processed, stored, or hosted by Customers using any of our Services or to the extent that we Process Personal Data in the role of a Processor on behalf of our Customers. Where we act as Processors on behalf of our Customers, that Processing is subject to the protections contained in our data processing agreements with Customers. We have no control over, and are not responsible for, any Personal Data that our Customers may store or host on their equipment or otherwise process while using our Services. We are not responsible for the privacy or data security practices of our Customers, which may differ from those set forth in this GDPR Privacy Policy. For information related to how our Customers Process Personal Data, please contact the respective Customer directly. 

 

Furthermore, this GDPR Privacy Policy does not apply to any third-party website or service that may be linked to the Websites unless that website or service is controlled by us and displays this GDPR Privacy Policy. We have no control over, and are not responsible for, the data collection and/or handling practices of these third-party websites or services outside our Websites. We encourage you to read the privacy statements of any third-party websites or services linking to (or linked to via) the Website. In the event of a conflict between this GDPR Privacy Policy and the General Privacy Policy, this GDPR Privacy Policy will prevail

 

 

II. Definitions

Please see the definitions as presented in the General Privacy Policy found here.

 

III. Identification of Controllers

Deft’s does not maintain entities located in the EEA/UK that act as Controllers, as such the Controller is the US entity ServerCentral, LLC dba Deft.com.

IV. Our Contact Details

If you have any questions or concerns as to how your Personal Data is Processed, please write to us at privacy@deft.com or at 2200 Busse Road, Elk Grove Village, IL 60007 (Attn: Deft Legal Department).

 

V. Deft’s Data Collection Practices

A. What Types of Personal Data Does Deft Collect?

Deft collects and processes the following categories of Personal Data from Customers, Service Providers, business partners, Representatives, Website Visitors, prospective employees, individuals that receive marketing communications from Deft and individuals that interact with Deft by registering for, attending and/or otherwise taking part in Deft’s trade events, webinars or conferences or who communicate with Deft via email, phone or in person, in each case to operate its business for the specific purposes identified below.

• Personal Details include data such as names, titles, company names, departments, email addresses, physical street addresses, telephone numbers, and social media usernames of individuals.
• Login Credentials include data such as usernames and passwords of individuals needed to access the Deft Customer Portals and receive Customer support or otherwise access Deft systems.
• Unique IDs include data such as IP addresses and geolocation data that we obtain from (a) Representatives, (b) prospective employees, (c) Website Visitors who access our customer portal or Websites, or (d) other individuals that interact with us.
• Payment Information includes data such as bank name, account numbers, routing numbers, check numbers, and wire transfer IDs.
• Customer Support Records include data such as call details and other similar data regarding customer support communications and chat sessions with Representatives.
• Website Records include data related your interactions with our Websites and other online content such as log data (i.e., preferences and settings, IP addresses, technical information about the device used to visit the Websites, and geolocation information) and traffic data (i.e., pages viewed, date stamps, time spent on a page, click through and clickstream data, queries made, search history, search results selected, comments made, type of service requested, and purchases made).
• Education and Work History includes details such as attended schools, past employers, descriptions of roles performed, locations of employment, and reasons for leaving past employment.
• Marketing and Event Records include the personal details of the Representative signing up to receive marketing materials as well as information collected from Representatives who complete a survey or form. Marketing records also include the personal details of Representatives who register for, attend and/or otherwise take part in our trade events, webinars, or conferences as well as information about these events.

B. Why Does Deft Collect Personal Data, What are the Sources of Personal Data, What are the Purposes for Processing, and What is the Lawful Basis?

This section of the GDPR Privacy Policy covers Deft’s collection of data necessary for the establishment of relations with or provision of Services to existing Customers, the establishment of relationships with or receipt of services from our Service Providers, the establishment of relations with or interactions with business partners, interactions with our Website Visitors, interactions with applicants for employment, interactions with those that receive marketing communications from Deft and interactions with those that register for, attend and/or otherwise take part in Deft’s trade events, webinars or conferences or who communicate with Deft via email, phone or in-person.

 

The table below sets out the types of Personal Data Deft Processes, the purposes of Processing such Personal Data, and Deft’s lawful basis for doing so. The lawful basis will vary with the type of Processing involved and will typically include Processing (i) necessary for Deft to pursue its legitimate business interests, (ii) based on your consent, where this is required by data protection laws, and (iii) necessary for Deft to comply with its legal obligations. Where we rely on our legitimate business interests, we have explained what the grounds are for that reliance.

 

 

Deft’s Purpose of Processing Personal Data	Deft’s Lawful Basis for Collecting Personal Data
To engage in transactions with Customers, Service Providers and business partners. When a Customer places an order for our Services, Deft Processes the following Categories of Personal Data to engage in and administer the relevant transactions necessary to deliver and provide such Services to its Customer (i.e., signing a contract or service order, creating an account, sending invoices, receiving payments, granting access to customer portal). Deft also collects and Processes such Personal Data when engaging with and purchasing products and services from Service Providers or business partners. Personal Details Login Credentials Unique IDs Payment Information	Deft has a legitimate business interest in processing Personal Data in order to engage in transactions with its Customers, Service Providers and business partners and efficiently run its business.
To provide customer and technical support. Deft collects and Processes the following categories of Personal Data to provide Customers and their Representatives with technical and general support: Personal Details Login Credentials Unique IDs Customer Support Records	Deft has a legitimate business interest in being able to provide its Customers with customer and technical support.
To communicate and respond to requests and inquiries. When a Customer, Service Provider, business partner or other person or entity contacts us by email, phone, text or by submitting a contact form on our Website, Deft collects and Processes the following Categories of Personal Data from the Representatives or other individuals in order to communicate with Customer, Service Provider, business partner or such other person or entity, as applicable, and respond to their requests and inquiries. Deft also collects and Processes the following Personal Data from Representatives who register for a trade event, webinar, conference: Personal Details Unique IDs Website Records Marketing and Event Records	Deft has a legitimate business interest in being able to communicate with its Customers, Service Providers, business partners and other persons or entities and respond to their inquiries and requests.
To market our Services and tailor our marketing and sales activities. Deft may Process the following categories of Personal Data when marketing new and existing Services and features to its Customers and other persons and entities and in an effort to personalize such experience. Deft also collects and Processes the following Personal Data from Representatives who register for a trade event, webinar, conference: Personal Details Unique IDs Website Records Marketing and Event Records	Except in cases where opt-in consent is required by law for the processing of email addresses, IP addresses or other unique identifiers to send or process electronic communications (emails, texts, cookies, etc.), Deft processes this data for marketing purposes on the basis of its legitimate interests.
To analyze, improve, and optimize the use, function and performance of our Website and Services. Deft may Process the following categories of Personal Data in order to analyze, improve, and optimize the use, function and performance of its Website and Services, including for quality assurance and training purposes, as well as for marketing and sales campaigns. Personal Details Unique IDs Website Records Marketing and Event Records	Deft has a legitimate business interest in improving and optimizing the use of its Website and Services.
To comply with applicable laws, regulations and internal policies, practices, and procedures. Deft may be required to disclose certain categories of Personal Data to comply with applicable laws and regulations, for example, to respond to a request from a government agency or to defend a legal claim. Additionally, Deft may also be required to Process certain categories of Personal Data when conducting internal audits and investigations to ensure compliance with internal and external policies, practices, and procedures.	Legal Obligation Deft has a legitimate business interest in complying with all applicable laws, regulations, and internal policies.
To effectuate a reorganization, sale, merger, assignment, transfer or other disposition of all or any portion of Deft’s business. In the event Deft reorganizes its business operations or enters into a transaction involving the sale, merger, assignment, transfer, or disposition of all or part of its business, it may be required to share all of the above categories of Personal Data with a third party. Except as otherwise provided by a bankruptcy or other court, the use and disclosure of all transferred Personal Data will be subject to compliance with applicable data protection laws.	Deft has a legitimate business interest in being able to carry out a reorganization, sale, merger, assignment, transfer or disposition of its assets or business should the need arise.
To receive applications for employment. Deft may Process the following categories of Personal Data when receiving, reviewing, using, and storing applications for employment, including from prospective employees who visit the Website or other online locations where jobs may be posted and applications may be submitted: Personal Details Login Credentials Unique IDs Education and Work History	Deft has a legal obligation to collect certain information to confirm your right to work in the country to which you have applied. Otherwise, Deft has a legitimate business interest in Processing the Personal Data of job applicants who seek to join the company to assess them as candidates for employment.

VII. Opting Out of Marketing Communications

If at any time you wish for us to cease communicating with you with marketing materials, please take advantage of the “unsubscribe” link that you will find in any of our written electronic communications or email us at marketing@deft.com . Please note you may still receive some communications such as those related to the Services you are receiving or in response to inquiries you have made to us.

VIII. Sharing with Third Parties

Except as described below, we will not share or disclose Personal Data with or to outside third parties (meaning entities outside of Deft). 

We will never sell Personal Data collected for the purposes of Service provision, or otherwise obtained from third parties, nor knowingly permit it to be used for marketing purposes by any person outside of Deft.

 

 

1. Service Providers. We may share Personal Data with our Service Providers in connection with advertising, hosting, data analytics, information technology and infrastructure, order management and fulfillment, billing, contract management, email delivery, auditing, events, and other related activities. We provide such Personal Data or authorize the processing of such Personal Data only as necessary to enable our Service Providers to perform their designated functions. Our contracts with them (1) require them to act only under our instruction and for the purpose(s) directed by us with respect to such Personal Data; and (2) prohibit them from sharing such Personal Data with any third parties without our authorization.
2. Business Partners. We may also share your Personal Data with trusted business partners pursuant to our contractual arrangements with them, which will include appropriate safeguards to protect any Personal Data that we share with these partners. These may include, but are not limited to, third parties that organize tradeshows, third party consultants and experts, and auditors.
3. Affiliated Entities. We share Personal Data with our Affiliates. Subject to local requirements, this Personal Data may be used to provide Services offered by our Affiliates, for the Affiliates to provide support to the Affiliated entity that is sharing the Personal Data or for any other purposes described in this GDPR Privacy Policy. For example, Affiliates may share Personal Data about our Customers, Service Providers, business partners, Representatives, prospective employees, and Website Visitors for direct marketing purposes.
4. Payment Processing. We work with a payment processing partner to process credit card payments. If you make any credit card payment to us, our payment processing provider will store your full name and credit card details.
5. Fraud Prevention and Protection of Legal Rights. We may use and disclose Personal Data to the appropriate legal, judicial or law enforcement authorities and our advisors and investigators: (i) when we believe, in our sole discretion, that such disclosure is necessary to investigate, prevent, or respond to suspected illegal or fraudulent activity or to protect the safety, rights, or property of Deft and of our Customers, Service Providers, business partners, Representatives, Website Visitors, prospective employees, or others; (ii) when we suspect abuse of the Website or Services or unauthorized access to any system, spamming, denial of service attacks, or similar attacks; (iii) to exercise or protect legal rights or defend against legal claims; or (iv) to allow us to pursue available remedies or limit the damages that we may sustain.
6. Law Enforcement. We may have to disclose the Personal Data of our Customers, Service Providers, business partners, Representatives, applicants, Website Visitors or others if a court, law enforcement or other public or government authority with appropriate competency requests that we provide that Personal Data and we believe, in our reasonable discretion, that such request was made in compliance with applicable law.
7. Corporate Reorganization. We may transfer the Personal Data of our Customers, Service Providers, business partners, Representatives, Website Visitors or others to a third party in the case of the reorganization, sale, merger, joint venture, assignment, transfer or other disposition of all or any portion of our business, asset or stocks, including in the event of bankruptcy or corporate restructuring. Except as otherwise provided by a bankruptcy or other court, the use and disclosure of all transferred Personal Data will be subject to compliance with applicable data protection laws. Any Personal Data that an individual submits or that is collected after the reorganization may be subject to a new privacy policy adopted by the successor entity, of which we will inform, where required.

IX. Cross-Border Transfers

For cross-border transfers of EEA, UK or Swiss Personal Data to Group Affiliates in the US and/or to third parties, such as Service Providers or business partners in countries outside the EEA/UK/Switzerland that are not considered to provide an adequate level of data protection, Deft will adopt safeguards consistent with applicable data protection law including, but not limited to, transferring such data to a recipient that is covered by a suitable framework or other legally adequate transfer mechanism recognized by the relevant authorities or courts as providing an adequate level of protection for personal data, to a recipient that has achieved binding corporate rules authorization in accordance with EEA, UK, or Swiss data protection law, or to a recipient that has executed appropriate standard contractual clauses (“SCCs”) in each case as adopted or approved in accordance with EEA, UK, or Swiss data protection law.

 

Although Deft no longer relies on the Privacy Shield Framework as a lawful transfer mechanism, we remain subject to the regulatory enforcement powers of the U.S. Federal Trade Commission with respect to Personal Data that was transferred to them pursuant to the Privacy Shield Framework. 

 

X. Data Retention

We will retain Personal Data that we collect and Process where we have a justifiable business need to do so and/or for as long as it is needed to fulfill the purposes outlined in this GDPR Privacy Policy. We may retain Personal Data as required by law, such as for tax, legal, or accounting purposes.

 

When, in our reasonable discretion, we have no justifiable business need to Process your Personal Data (for example, after all of our necessary interactions have ended, our internal record keeping policies no longer require us to continue to Process your Personal Data, and we have no other legal obligations to retain your Personal Data), we will either delete it or anonymize it.

XI. Data Subject Rights under the GDPR

The GDPR grants individuals who are in the EEA/UK the following rights, with some limitations. Individuals may contact us, at the address provided in the Section IV captioned “Our Contact Details” above to exercise any of those rights and we will respond with the requested action or information, or will let you know why such rights do not apply to you.

These rights are not absolute and are subject to various conditions under applicable data protection and privacy legislation and the laws and regulations to which we are subject.

In some cases, the exercise of these rights (for example, erasure, objection, restriction or the withholding or withdrawing of consent to processing) may make it impossible for us to achieve the purposes identified in Section V or VI, as applicable, of this GDPR Privacy Policy and otherwise provide services.

• Right Not to Provide Consent or to Withdraw Consent. We may seek to rely on your consent in order to Process certain Personal Data. Where we do so, you have the right not to provide your consent, and the right to withdraw your consent at any time. If you withdraw your consent, this will not affect the lawfulness of the Processing conducted based on consent before its withdrawal.
• Right of Access. You have the right to obtain confirmation as to whether or not we collect or Process Personal Data concerning you and, if this is the case, you have the right to request a copy of such Personal Data in digital format.
• Right of Rectification. You have the right to require that we correct any inaccurate Personal Data concerning you, and that we complete incomplete Personal Data.
• Right of Erasure. In certain circumstances, you have the right to request that we erase Personal Data concerning you; for example, if it is no longer necessary for the purposes for which it was originally collected and we do not otherwise have a legitimate reason to retain it.

  We may need to retain certain Personal Data when legally required, for internal, record keeping purposes, and/or in order to complete any transactions initiated prior to an individual’s request to remove or delete their Personal Data. Where we are unable to delete data from our systems, we will anonymize it so it will no longer be tied to your identity.

• Right to Restrict Processing. In certain circumstances, you have the right to request that we restrict the Processing of the Personal Data that we have collected about you; for example, where you believe that the Personal Data that we hold about you is not accurate or lawfully held.
• Right to Data Portability. In certain circumstances, you have the right to receive the Personal Data concerning you that you have provided to us in a structured, commonly used, machine readable format, and for us to transmit the data to another entity where technically feasible.
• Right to Object to the Processing. In certain circumstances, you have the right to request that we stop Processing your Personal Data, including where we rely on legitimate interests as legal basis in the tables on the details of Processing provided above. If you receive commercial electronic communications from us, you can unsubscribe from the receipt of future commercial electronic communications from us by clicking on the “unsubscribe” link provided in such communications. Please also note that if you do opt out of receiving commercial electronic communications from us, we may still send you important administrative messages (such as updates about your account or changes in the Services), and you cannot opt out from receiving these messages, unless you stop receiving our Services.
• Right Not to be Subject to Decisions Based Solely on Automated Processing that Produce Legal Effects. We do not make decisions based solely on automated processing – including profiling – that produces legal effects or similarly affects you.
• Right to Complain to a Supervisory Authority. You have the right to lodge a complaint with a Supervisory Authority if you believe that our Processing of Personal Data relating to you is inconsistent with our obligations under the GDPR. In this situation, we ask you please consider contacting us first, so that we can try and assist with your query or address your concern.

To exercise any of your rights as set forth herein, please contact us in writing, via email or postal mail as indicated in Section IV “Our Contact Details” above, so that we may consider your request under applicable law. We may ask that you provide the following Personal Data for us to address your request speedily:

• The name, User ID, pseudonym, email address, or other identifier you have provided to us or if you have not otherwise previously interacted with us, your first and last name and an address where we can correspond with you;
• The country in which you are located;
• A clear description of the Personal Data or content you wish to receive or to be deleted or corrected, or the action you wish to be taken; and
• Sufficient information to allow us to locate the content or Personal Data to be deleted, removed, or corrected.

For your protection, we may only implement requests with respect to the Personal Data that are associated with the particular email address that you use to send us your request. In addition, please note that, depending on the nature of your inquiry, request, or complaint, we may need to verify your identity before implementing your request and may require proof of identity, such as in the form of a government issued ID and proof of your physical address. We will try to comply with your request as soon as reasonably practicable and in any case within the timelines prescribed by applicable laws. However, we reserve the right to refuse to act on a request that is manifestly unfounded or excessive (for example because it is repetitive) and/or, in some cases, to charge a fee that takes into account the administrative costs for providing the information or the communication or taking the action requested.

 

Changes

We may update this policy from time to time.  Any changes we will make to this policy in the future will be posted on this page. Please check back frequently to see any updates or changes to this policy.

 

You can also review our general privacy practices and commitments at https://deft.com/privacy-policy.

Last updated: June 1, 2023