Last revised: January 16, 2019
Sigstr is a software platform that unlocks the potential of employee email. We turn employee email into an owned marketing channel and a source for relationship intelligence.
Email Signature Marketing - a marketing platform that offers branded signatures and targeted/dynamic campaign banners.
Sigstr Relationships - a relationship intelligence platform that provides insight into B2B company relationships.
Data Controllers & Processors
Under GDPR, data controllers are responsible for the management of data, while data processors are responsible for data security and processing data on behalf of the controllers. Depending on the Services purchased, Sigstr may act as a data processor or co-controller of data (more detail listed in sections 4 and 5 below). At Sigstr, we have chosen to to adopt GDPR as a global standard for our Services, as we do not track whether someone is an EU citizen or not.
1. Information We Collect
Sigstr collects Employee Data, which contains Personal Information. This is done (voluntarily) to help build personalized email signatures and to map out relationship networks and insights. This section outlines the data that we collect and what we use it for.
1.1 Personal Information
Personal Information refers to any information that you voluntarily submit to us and that identifies you personally, including contact information, such as your name, e-mail address, address, phone number, and other information about yourself.
At the time of collection, we will clearly identify the information being collected and the purposes for which it will be used. For example, to create an account you provide data including your name, email address and/or mobile number, and a password. It is always your choice whether or not to provide Personal Information. Your choice not to provide certain other Personal Information may mean that you will not be able to use certain features of the Services.
1.2 Company & Employee Data
In order to build personalized email signatures and relationship scores between accounts and contacts, some employee data is required. The amount of employee data depends on what you voluntarily provide to Sigstr, and the features being utilized. Customers typically provide email address, name, and title, but may provide more data depending on the desired signature, or features being utilized.
Please note that because users agree to provide us with Contact Information voluntarily, such information does not constitute “harvested” emails under the CAN-SPAM Act of 2003.
1.3 Collection, Storage, and Use of Email Messages - Sigstr Relationships
If you take advantage of Sigstr’s Relationship Intelligence features, we analyze and store metadata about your company email and calendar events in order to build your company’s relationship network.
Sigstr stores the email and calendar metadata (to, from, header, and timestamp) in order to build your corporate relationship graph and to personalize/enhance the overall experience. Sigstr does not store the email body, subject line or attachments at rest. The service inspects the email body in memory only for the purpose of removing spam and automated messages that clutter up the data.
1.4 Contact & Company Data Enhancement
Sigstr has optional features that help track who views and engages with Sigstr campaign banners. This recipient tracking is used to understand who is engaging with your email content. Sigstr also has optional integrations with various marketing platforms, which send engagement data back to the marketing platform to help track conversions.
For customers who elect advanced functionality, Sigstr stores recipient email addresses that Sigstr CTAs (Calls to Action) are sent to. This is done so that Sigstr can provide richer analytics and identify individuals who are engaging with specific CTAs.
When building out B2B relationship scores and contact information of individuals you email, we may receive supplemental information about users and data subjects from other sources, including publicly available databases, and third parties from whom we have purchased data. This helps us to update, expand, and provide further value when using the platform to target prospective and current customers.
Examples of the types of Personal Information that may be obtained from public sources or purchased from third parties and combined with information we already have about you may include business contact information such as your business email address, phone number, and job title.
2. How We Use Your Data
How we use your personal/employee data will depend on which features you use. We use the data for the following:
Build branded, personalized email signatures
Create Account Based Marketing campaigns (ABM functionality using recipient email lists)
Provide campaign analytics (views, clicks, etc)
For billing and accounting services
Build and maintain your network of contacts
Build Account and Contact relationship scores
To present products and offers, which we believe would enhance your use of our Services (you can unsubscribe to these types of communications at any time).
User login and management
To measure, gauge, and improve the effectiveness of our advertising
Help communicate with the Sigstr support team
3. Information Ownership and Disclosures
3.1 Legal Disclosures
It is possible that we will need to disclose information about you when required by law, subpoena, or to assist government enforcement agencies: (1) enforce our agreements with you, (2) investigate and defend ourselves against any third-party claims or allegations. We attempt to notify you about legal demands for your personal data when appropriate in our judgment, unless prohibited by law or court order or when the request is an emergency. We may dispute such demands when we believe, in our discretion, that the requests are overbroad, vague or lack proper authority, but we do not promise to challenge every demand.
3.2 Ownership Of Information
In your use of the Service, you may upload data, images, graphics, photos, links, and text (“Content”) to the Service. Although Sigstr owns the code, databases, and all rights to the Sigstr application, you retain all rights to your Content.
Click and display data for signature and employee email marketing banners
Account and Contact Relationship Intelligence data
Corporate/Employee Email & Calendar Data
Campaign targeting rules and banner images
Employee Data (email signatures and organizational groups)
Recipient, Account, Contact lists (for targeting banners or performing Relationship Intelligence analysis)
There are certain data sources that when aggregated and anonymized across the Sigstr customer base, it creates value for all customers who use the platform. For example, when someone changes jobs, and your company has a relationship with that person, we can tell you when that job change happens. We maintain this data in order to make our product more valuable to our customers.
Contact and Company Record metadata sourced from public sources and Sigstr proprietary processing used to enrich list creation, filtering, and performance analysis.
Aggregate Anonymized Data (such as average click through rate across all Sigstr customers)
Individual & Data Subjects Own:
Personal Information - name, personal email, etc.
What if your contract ends and you no longer use the Sigstr services?
Sigstr is able to remove your company’s information upon request or termination of a previously specified agreement.
What happens if an Employee Leaves?
If an employee leaves the company, the email data is retained and owned by the company. Individuals retain the right to have their personal information removed, if requested.
4. Your Choices & Obligations
4.1 Data Retention
We retain the personal data you provide while your account is in existence or as needed to provide you Services. We will retain personal data we process on behalf of our Clients for as long as needed to provide services to our Clients. Sigstr will retain this personal information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements. Data can be removed upon request of a customer at the end of a predetermined agreement.
Sigstr provides tools around data retention that allow customers to set configurable data retention policies within the Services that will clear out data after the specified timeframe. Upon completion of a predetermined agreement, company data will be removed.
4.2 Rights to Access and Control Your Personal Data
Sigstr admins have the ability to download and export all data in the application. This includes employee data, recipient data (if applicable), and campaign engagement details. Personal data of employees can be modified by Sigstr admins or by specified employees, when given permission by the Sigstr admin.
Users (and data subjects) have the ability to request an export and/or delete of their Personal Information in the Sigstr app as well, in accordance with Article 17 of GDPR. You can also inquire about Personal Information that Sigstr has about you by emailing firstname.lastname@example.org. You may be asked additional information to confirm your identity prior to disclosing any PII.
4.3 Sharing Information
We do not sell your personal information. We can share data in the following limited circumstances, with appropriate permissions and safeguards that focus on your privacy.
Aggregated or de-identified information - This is information that cannot be tied back to an individual for the purpose of aggregate statistics.
Third party vendors (voluntary) - Sigstr customers can provide data to specific third party entities. For example, customers can share campaign engagement data with 3rd party companies for improved ad targeting on other platforms.
Legal Requests - We may disclose information about your company in response to a subpoena, court order, or other governmental request. Data subjects will be notified if their personal information is disclosed as a part of a legal request, to the extent legally permitted by law.
Sigstr is potentially liable under the EU-U.S. and Swiss-U.S. Privacy Shield Principles in cases of onward transfer of data about EU and Swiss individuals to a third party acting on behalf of Sigstr as its agent if the third party engages in a manner inconsistent with the Privacy Shield Principles and Sigstr is responsible for the event giving rise to damages.
Sigstr shall ensure that any third party to which we disclose personal information provides the same level of privacy protection as is required by the Privacy Shield Principles and agrees in writing to provide an adequate level of privacy protection. Prior to disclosing personal information to a third party that is not acting as Sigstr’s agent, we will notify you of such disclosure and provide you with the choice to opt-out of the disclosure.
5. GDPR Information
With the enforcement of GDPR on May 25, 2018, Sigstr is committed to helping its customers be GDPR compliant. Depending on the Services you use, Sigstr may be a co-controller or data processor. Sigstr provides GDPR features to help in both scenarios for data access, portability and data retention (as stated in sections 4.1 and 4.2 above).
Sigstr also has a Data Processing Addendum (DPA) that can be added to the Master Services Agreement (MSA).
6. Privacy Shield Compliance
Sigstr is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission.
6.1 Right to complain
In compliance with the Privacy Shield Principles, Sigstr commits to resolve complaints about our collection or use of your personal information. EU and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Sigstr at:
20 N Meridian St, Floor 4
Indianapolis, IN 46204
Sigstr has further committed to cooperate with the panel established by the EU data protection authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved Privacy Shield complaints concerning human resources data transferred from the EU and Switzerland in the context of the employment relationship.
Sigstr uses the BBB EU PRIVACY SHIELD, an independent dispute resolution mechanism, for unresolved complaints. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbb.org/EU-privacy-shield/for-eu-consumers/ for more information and to file a complaint.
Please note that if your complaint is not resolved through these channels, under limited circumstances, a binding arbitration option may be available before a Privacy Shield Panel.
7. Other Important Information
7.1 Data Storage and Security
While no online service is 100% secure, we work very hard to protect information about you against unauthorized access, use, alteration, or destruction, and take reasonable measures to do so, such as monitoring our Services for potential vulnerabilities and attacks.
Sigstr uses secure third party vendors and hosting partners to provide the necessary hardware, software, networking, storage, credit card processing, and related technology required to run the Service. Compliance and various certifications of our hosting partners can be provided upon request. Credit Card Processing is managed by Cheddar. For more information on their servers and security, please visit www.cheddargetter.com.
Sigstr’s databases are located in the United States in multiple regions. Sigstr’s third party cloud provider is Privacy Shield Certified and SOC 2 Compliant (among other certifications).
Sigstr may disclose Personal Information under special circumstances, such as to comply with subpoenas when a user’s actions may violate the Terms of Service. Data subjects will be notified if their personal information is disclosed as a part of a legal request, to the extent legally permitted by law.
|Version||Description||Writer||Approved by:||Approved on:|
|Version 1||Initial document creation||Sam Smith||Dan Hanrahan (President/Founder)||11/3/14|
|Version 2||Added language around GDPR, data processing, and data retention.||Brent Mackay & Amber Jedamzik||Robert Harris (VP of Product/Engineering)||5/16/18|
|Version 3||Added details around Sigstr Pulse and more detail on data collection and cookies||Brent Mackay & Amber Jedamzik||Robert Harris (VP of Product/Engineering)||8/1/18|
|Version 4||Added Privacy Shield Certification information, changed the name of Sigstr Pulse to Sigstr Relationships, and added language around legal disclosures||Brent Mackay||Bryan Wade (CEO)||1/15/19|