Sigstr is a software platform that unlocks the potential of employee email. We turn employee email into a new marketing channel and a source for relationship intelligence.
Email Signature Marketing - a marketing platform that offers branded signatures and targeted/dynamic campaign banners.
Sigstr Relationships - a relationship intelligence platform that provides insight into B2B company relationships.
Data Controllers & Processors
Under GDPR, data Controllers are responsible for the management of data, while data Processors are responsible for data security and processing data on behalf of the Controllers. Under GDPR, Sigstr acts as a Processor of data, while customers act as the data Controller. (more detail listed in sections 4 and 6 below). At Sigstr, we offer the GDPR data subject rights to all individuals, regardless of whether the individual resides in the EU or Switzerland.
1. Information We Collect
Sigstr collects employee data, which contains personal information (as explained in more detail below). This is done to help build personalized email signatures and to map out relationship networks and insights. This section outlines the data that we collect and what we use it for.
1.1 Personal Information
Personal Information refers to any information that can be traced back to an individual’s identity.
At the time of collection, we will clearly identify the information being collected and the purposes for which it will be used. For example, to create an account you provide data including your name, email address and/or mobile number, and a password. It is always your choice whether or not to provide Personal Information. Your choice not to provide certain other Personal Information may mean that you will not be able to use certain features of the Services.
1.2 Company & Employee Data
In order to build personalized email signatures and relationship scores between accounts and contacts, some employee data is required. The amount of employee data depends on what the customer voluntarily provides to Sigstr, and the features being utilized. Customers typically provide email address, name, and title, but may provide more data depending on the desired signature, or features being utilized.
Please note that because customers agree to provide Sigstr with employee data voluntarily, such information does not constitute “harvested” emails under the CAN-SPAM Act of 2003.
1.3 Collection, Storage, and Use of Email Messages - Sigstr Relationships
If you take advantage of Sigstr’s Relationship Intelligence features, we analyze and store metadata about your company email and calendar events in order to build your company’s relationship network.
Sigstr stores the email and calendar metadata (to, from, header, and timestamp) in order to build your corporate relationship graph and to personalize/enhance the overall experience. Sigstr does not store the email body, subject line or attachments at rest. The service inspects the email body in memory only for the purpose of removing spam and automated messages that clutter up the data.
1.4 Contact & Company Data Enhancement
Sigstr has optional features that help track who views and engages with Sigstr campaign banners. This recipient tracking is used to understand who is engaging with your email content. Sigstr also has optional integrations with various marketing platforms, which send engagement data back to the marketing platform to help track conversions.
For customers who elect advanced functionality, Sigstr stores recipient email addresses that Sigstr CTAs (Calls to Action) are sent to. This is done so that Sigstr can provide richer analytics and identify individuals who are engaging with specific CTAs.
When building out B2B relationship scores and contact information of individuals you email, we may receive supplemental information about users and data subjects from other sources, including publicly available databases, and third parties from whom we have purchased data. This helps us to update, expand, and provide further value when using the platform to target prospective and current customers.
Examples of the types of Personal Information that may be obtained from public sources or purchased from third parties and combined with information we already have about data subjects may include business contact information such as your business email address, phone number, and job title.
2. How We Use Your Data
How we use your personal/employee data will depend on which features you use. We use the data for the following:
Build branded, personalized email signatures
Create Account Based Marketing campaigns (ABM functionality using recipient email lists)
Provide campaign analytics (views, clicks, etc)
For billing and accounting services
Build and maintain your network of contacts
Build Account and Contact relationship scores
To present products and offers, which we believe would enhance your use of our Services (you can unsubscribe to these types of communications at any time).
User login and management
To measure, gauge, and improve the effectiveness of our advertising
Help communicate with the Sigstr support team
3. Information Ownership and Disclosures
3.1 Legal Disclosures
It is possible that we will need to disclose information about you when required by law, subpoena, or to assist government enforcement agencies: (1) enforce our agreements with you, (2) investigate and defend ourselves against any third-party claims or allegations. We attempt to notify you about legal demands for your personal data when appropriate in our judgment, unless prohibited by law or court order or when the request is an emergency. We may dispute such demands when we believe, in our discretion, that the requests are overbroad, vague or lack proper authority, but we do not promise to challenge every demand.
3.2 Ownership Of Information
In use of the Service, customers may upload data, images, graphics, photos, links, and text (“Content”) to the Service. Although Sigstr owns the code, databases, and all rights to the Sigstr application, you retain all rights to your Content.
Click and display data for signature and employee email marketing banners
Account and Contact Relationship Intelligence data
Corporate/Employee Email & Calendar Data
Campaign targeting rules and banner images
Employee Data (email signatures and organizational groups)
Recipient, Account, Contact lists (for targeting banners or performing Relationship Intelligence analysis)
There are certain data sources that when aggregated and anonymized across the Sigstr customer base, it creates value for all customers who use the platform.
Contact and Company Record metadata sourced from public sources and Sigstr proprietary processing used to enrich list creation, filtering, and performance analysis.
Aggregate Anonymized Data (such as average click through rate across all Sigstr customers)
App usage metrics
Individual & Data Subjects Own:
Personal Information - name, personal email, etc.
What if your contract ends and you no longer use the Sigstr services?
Sigstr is able to remove your company’s information upon request or termination of a previously specified agreement.
What happens if an Employee Leaves?
If an employee leaves the company, the email data is retained and owned by the company. Individuals retain the right to have their personal information removed, if requested.
4. Your Choices & Rights
4.1 Rights to Access and Control Your Personal Data
Sigstr admins have the ability to download and export all data in the application. This includes employee data, recipient data (if applicable), and campaign engagement details. Personal data of employees can be modified by Sigstr admins or by specified employees, when given permission by the Customer’s Sigstr admin.
Users (and data subjects) have the ability to request an export and/or delete their Personal Information in the Sigstr app, in accordance with Article 17 of GDPR. You can inquire about Personal Information that Sigstr has about you by emailing email@example.com. You may be asked additional information to confirm your identity prior to disclosing any PII.
4.2 Sharing Information
We can share data in the following limited circumstances, with appropriate permissions and safeguards that focus on your privacy.
Aggregated or de-identified information - This is information that cannot be tied back to an individual for the purpose of aggregate statistics.
Sub-processors - to companies that provide services to help us with our business activities such as sending email communications and processing billing and payments on our behalf. These companies are authorized to use your personal information only as necessary to provide these services to us.
Third party vendors (voluntary) - Sigstr customers can provide data to specific third party entities. For example, customers can share campaign engagement data with 3rd party companies for improved ad targeting on other platforms.
Legal Requests - We may disclose information about your company in response to a subpoena, court order, or other governmental request. Data subjects will be notified if their personal information is disclosed as a part of a legal request, to the extent legally permitted by law.
If Sigstr is involved in a merger, acquisition, or sale of all or a portion of its assets, including, without limitation, in the event of bankruptcy, where the transfer of your information to the new company occurs to continue providing you products and services.
Sigstr is potentially liable under the EU-U.S. and Swiss-U.S. Privacy Shield Principles in cases of onward transfer of data about EU and Swiss individuals to a third party acting on behalf of Sigstr as its agent if the third party engages in a manner inconsistent with the Privacy Shield Principles and Sigstr is responsible for the event giving rise to damages.
Sigstr shall ensure that any third party to which we disclose personal information provides the same level of privacy protection as is required by the Privacy Shield Principles and agrees in writing to provide an adequate level of privacy protection.
5. California Disclosures
California “Shine the Light” Information-Sharing Disclosure: - California residents may request a list of all third parties with respect to which we have disclosed any information about you for direct marketing purposes and the categories of information disclosed. If you are a California resident and want such a list, please send us a written request by email to firstname.lastname@example.org with “California Shine The Light Rights” in the subject line.
If you are a California resident and the processing of personal information about you is subject to the California Consumer Privacy Act (“CCPA”), beginning January 2020, you have certain rights with respect to that information. In particular, you have a right to request that we provide you with the following information:
The categories of personal information we have collected about you;
The categories of sources from which the personal information is collected;
The business or commercial purpose of collecting or selling personal information;
The categories of third parties with whom we share or sell personal information;
The categories of personal information we have collected about you; and
The specific pieces of personal information we have collected about you.
In addition, you have the right to request that your personal information be deleted from our systems and/or not be sold to third parties. To do so, click on the ‘Do Not Sell My Personal Information’ link on our marketing websites located here: https://info.sigstr.com/ccpa, where you will need to fill out a “Do Not Sell My Personal Information” Form, or email email@example.com.
6. GDPR Information
With the enforcement of GDPR on May 25, 2018, Sigstr is committed to helping its customers be GDPR compliant. Under GDPR, Sigstr acts as a Processor of data, while customers act as the data Controller. Sigstr provides GDPR features to help with data access, portability and data retention (as stated in sections 4.1 and 4.2 above).
For Services where Sigstr is a processor of EU personal data, Sigstr has a Controller-Processor Data Processing Addendum (DPA) that can be added to the Master Services Agreement (MSA).
6.1 Legal Basis for Processing Information
We rely on the following legal grounds to process your personal information:
Consent - We may use your personal information as described in this Policy subject to your consent. To withdraw your consent, please contact us at firstname.lastname@example.org. You may also (i) refrain from providing, or withdraw, your consent for cookies; (ii) close your Sigstr account; and (iii) unsubscribe from communications. Please see Your Rights and Choices below for more information.
Performance of a contract - We may need to collect and use your personal information, subject to any applicable opt-out preferences, to perform our contractual obligations.
Legitimate Interests - We may use your personal information, subject to any applicable opt-out preferences, for our legitimate interests to provide and improve our Website, Technology and services. We process information on behalf of our customers who have legitimate interests in operating their businesses. We may use technical information as described in this Policy and use personal information for our marketing purposes consistent with our legitimate interests and any choices that we offer or consents that may be required under applicable law.
7. Privacy Shield Compliance
Pursuant to the Privacy Shield Frameworks, EU, UK, and Swiss individuals have the right to obtain our confirmation of whether we maintain personal information relating to you in the United States. Upon request, we will provide you with access to the personal information that we hold about you. You may also correct, amend, or delete the personal information we hold about you. An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data transferred to the United States under Privacy Shield, should direct their query to email@example.com. If requested to remove data, we will respond within a reasonable timeframe.
Sigstr is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission.
We will provide an individual opt-out choice, or opt-in for sensitive data, before we share your data with third parties other than our agents, or before we use it for a purpose other than which it was originally collected or subsequently authorized. To request to limit the use and disclosure of your personal information, please submit a written request to firstname.lastname@example.org. Sigstr may request additional information in order to verify your identity.
In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
Sigstr’s accountability for personal data that it receives in the United States under the Privacy Shield and subsequently transfers to a third party is described in the Privacy Shield Principles. In particular, Sigstr remains responsible and liable under the Privacy Shield Principles if third-party agents that it engages to process personal data on its behalf do so in a manner inconsistent with the Principles, unless Sigstr proves that it is not responsible for the event giving rise to the damage.
7.1 Right to complain
In compliance with the Privacy Shield Principles, Sigstr commits to resolve complaints about our collection or use of your personal information. EU and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Sigstr at:
20 N Meridian St, Floor 4
Indianapolis, IN 46204
Sigstr has committed to refer unresolved privacy complaints under the Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU PRIVACY SHIELD. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit http://www.bbb.org/EU-privacy-shield/for-eu-consumers for more information and to file a complaint. This service is provided free of charge to you.
Sigstr has further committed to cooperate with the panel established by the EU data protection authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved Privacy Shield complaints concerning human resources data transferred from the EU and Switzerland in the context of the employment relationship. Do not submit complaints about HR data to BBB EU Privacy Shield.
If your Privacy Shield complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See Privacy Shield Annex 1 at https://www.privacyshield.gov/article?id=ANNEX-I-introduction.
8. Other Important Information
8.1 Data Storage and Security
While no online service is 100% secure, we work very hard to protect information about you against unauthorized access, use, alteration, or destruction, and take reasonable measures to do so, such as monitoring our Services for potential vulnerabilities and attacks.
Sigstr uses secure third party vendors and hosting partners to provide the necessary hardware, software, networking, storage, credit card processing, and related technology required to run the Service. Compliance and various certifications of our hosting partners can be provided upon request.
Sigstr maintains annual SOC 2 Type II audits that are carried out by certified AICPA auditors and the report can be provided upon request.
Sigstr’s databases are located in the United States in multiple regions. Sigstr’s third party cloud provider is Privacy Shield Certified and SOC 2 Compliant (among other certifications).
8.2 Data Retention
We retain the personal data you provide while your account is in existence or as needed to provide you Services. We will retain personal data we process on behalf of our Clients for as long as needed to provide services to our Clients. Sigstr will retain this personal information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements. Data can be removed upon request of a customer at the end of a predetermined agreement, subject to any applicable statutory exceptions.
Sigstr provides tools around data retention that allow customers to set configurable data retention policies within the Services that will clear out data after the specified timeframe. Upon completion of a predetermined agreement, company data will be removed.
|Version||Description||Writer||Approved by:||Approved on:|
|Version 1||Initial document creation||Sam Smith||Dan Hanrahan (President/Founder)||11/3/14|
|Version 2||Added language around GDPR, data processing, and data retention.||Brent Mackay & Amber Jedamzik||Robert Harris (VP of Product/Engineering)||5/16/18|
|Version 3||Added details around Sigstr Pulse and more detail on data collection and cookies||Brent Mackay & Amber Jedamzik||Robert Harris (VP of Product/Engineering)||8/1/18|
|Version 4||Added Privacy Shield Certification information, changed the name of Sigstr Pulse to Sigstr Relationships, and added language around legal disclosures||Brent Mackay||Bryan Wade (CEO)||1/15/19|
|Version 5||Added details around CCPA||Brent Mackay||Laura Breedlove (VP of Product & Engineering)||1/24/20|