Keap Application Privacy Notice

Effective on: June 2, 2020

Scope of this Notice

Infusion Software, Inc. (“Keap,” “we,” “us,” and “our”) takes the protection of personal data very seriously. This Application Privacy Notice (the “Notice”) addresses data subjects whose personal data we may receive in our hosted sales and marketing software applications (including from our websites, web applications, our mobile applications, or other add-on applications) from our customers or business partners. Our customers and business partners use our applications to store and process the personal data of their own users and customers, and we act only as a processor or service provider for such personal data. In general, we only access such personal data at our customer’s request in connection with customer support or account administration matters, as is reasonably necessary in order to provide the services that our customer has directed us to provide, or as may be required by law.

This Notice does not apply to personal data we collect by other means, such as personal data that we receive directly through Keap’s own publicly accessible websites or that we process as part of selling and marketing our services. For information about how we process such personal data, you can visit our Privacy Policy at https://keap.com/legal/privacy-policy.

If you are a customer and elect to integrate certain third-party connections with our platform, personal data submitted in conjunction with use of such services may be governed by our Third-Party Integrations API Privacy Notice (located at https://keap.com/legal/third-party-api-privacy-notice) as described therein.

Categories of Personal Data

Keap sells sales and marketing software and related services, designed primarily for small businesses. Our customers use our hosted technology platforms to store and process personal data at their own discretion. Since our customers provide the personal data covered by this Notice, the categories of personal data we process are also determined by our customers, with whom the relevant data subjects typically have a closer employment or business relationship (and who, therefore, can provide additional information as to the categories of personal data shared with us). When you give your data to one of our customers or when we collect your personal data on their behalf, our customer’s privacy notice, rather than this Notice, will apply to our processing of your personal data. If you have a direct relationship with one of our customers, please contact them to exercise your privacy rights.

How We Receive Personal Data

We may receive your personal data when our customers or our business partners submit your personal data to our hosted technology platforms.

Controllership

In the context of this Notice, Keap acts as a data processor (or a “service provider”) for the personal data we process. It is the responsibility of our customers, who are typically data controllers, to establish a lawful basis and business purpose for the processing activities they undertake using our hosted sales and marketing software.

Purposes of Processing of Personal Data

We collect and use personal data for the purposes of providing, maintaining, and developing our services, communicating with business partners about business matters, processing personal data on behalf of customers, detecting and blocking spam messages and security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, monitoring compliance with our contractual obligations and any applicable platform use requirements and restrictions with our customers, conducting related tasks as reasonably required in order to provide our hosted sales and marketing software to our customers, managing and processing payments (including facilitating payment card transactions initiated directly with us or through a third-party payment processor) and related authentication, security and fraud prevention activities for our customers and such other purposes as permitted by applicable law.

To help us provide software solutions that meet the evolving needs of our customers, we may aggregate personal data that we process for the purpose of anonymizing such personal data. We may then process the resulting anonymized data for any legal business purpose, such as analyzing usage trends.

When the purposes of processing are satisfied (i.e., when the provision of the services to the Keap customer ends), we will delete such personal data within six months.

Disclosure of Personal Data

We share personal data with our service providers, who process personal data on behalf of Keap. Such third parties include those:

• Providing IT systems and infrastructure
• Managing our IT systems and infrastructure
• Providing customer support
• Providing value-added services and feature functionality (such as assisting customers with marketing campaigns)
• Providing payment processing services including processing and facilitating payment card transactions initiated directly with us or through a third-party payment processor and related authentication, security and fraud prevention activities
• Providing communications services (such as email, voice over internet protocol, and SMS/MMS services)
• Providing integrations with other services if requested (such as email integrations and other complimentary services)

Personal data Personal Data may be provided, transferred to and stored by us in the United States and by our processors and service providers that are based in other countries. Therefore, personal data may be processed outside your jurisdiction, in countries that are not subject to an adequacy decision by the European Commission or your local legislature and/or regulator, and that may not provide for the same level of data protection as your jurisdiction, such as the European Economic Area. We will require that all of our processors and service providers have adequate level of protection, for instance by entering into the appropriate data protection agreements and, if required, standard contractual clauses for the transfer of data as approved by the European Commission. Keap remains liable for the protection of your personal data that we transfer to our processors and service providers, except to the extent that we are not responsible for the event giving rise to any unauthorized or improper processing.

We also share personal data with other third parties for the purposes for which we receive the personal data (e.g., performance of contractual obligations and rights).

Third Party Integrations and Add-On Services

Our services may allow for integrations with third-parties for additional functionality and add-on services. Please note that the privacy and other policies of any such third party integrations and add-on services may differ materially from this Policy. We strongly recommend that you review the privacy policies of any such third party prior to submitting personal data. Keap has no control over and is not responsible for the information practices of such third-parties.

Other Disclosure of Your Personal Data

We may also disclose your personal data (i) to the extent required by law or if we have a good-faith belief that such disclosure is necessary in order to comply with official investigations or legal proceedings initiated by governmental and/or law enforcement officials, or private parties, including but not limited to: in response to subpoenas, search warrants, or court orders, or (ii) if we sell or transfer all or a portion of our company’s business interests, assets, or both, or in connection with a corporate merger, consolidation, restructuring, or other company change.

If we must disclose your personal data in order to comply with official investigations or legal proceedings initiated by governmental and/or law enforcement officials, we may not be able to ensure that such recipients of your personal data will maintain the privacy or security of your personal data.

We will not (1) sell your personal data, (2) retain, use, or disclose your personal data for a commercial purpose other than providing services to our customers and business partners or as otherwise permitted by law, nor (3) otherwise retain, use, or disclose personal data except where permitted by applicable law or as set forth in our agreement with our customers or business partners.

Data Integrity & Security

Keap has implemented and will maintain technical, administrative, and physical measures that are reasonably designed to help protect personal data from unauthorized processing such as unauthorized access, disclosure, alteration, or destruction. For more information on our security practices, please visit https://keap.com/legal/data-security.

Access & Review

If you are a data subject about whom we store personal data, you may have a right to request access to your personal data, update, correct, or delete your personal data, and to object to processing, request restriction of processing, or exercise your right to data portability. To submit such requests or raise any other questions, please contact the organization that provided your personal data to us. We make a reasonable effort to provide our customers the means to comply with the requests of their data subjects in our hosted sales and marketing software applications.

Privacy Contact

If you have questions, please contact us at:

• Email: [email protected]
• Telephone: +1 844 929-0667
• Web form: https://keap.com/legal/data-protection-faq#contact
• Postal Mail: Infusion Software, Inc.
  Attn: Legal Department
  1260 S. Spectrum Boulevard
  Chandler, AZ 85286
  USA

Our Data Protection Officer is:
Matthew Joseph, CIPP/US
[email protected]

We will promptly investigate and attempt to resolve complaints and disputes in a manner that complies with the principles described in this Notice. Please allow up to four weeks for us to reply. If you are an individual and believe your data has been submitted to us by or on behalf of our customer and you wish to exercise any rights you may have under applicable data protection laws, please inquire with the applicable customer directly. Because we may only act upon instruction from that customer, if you wish to make your request directly to us, please provide to us the name of our customer who submitted your data to us. We will refer your request to that customer, and will support them as needed in responding to your request within a reasonable timeframe.

European Union Representative

VeraSafe has been appointed as Keap’s representative in the European Union for data protection matters, pursuant to Article 27 of the General Data Protection Regulation of the European Union. VeraSafe can be contacted in addition to Keap only on matters related to the processing of personal data. To make such an inquiry, please contact VeraSafe using this contact form: https://www.verasafe.com/privacy-services/contact-article-27-representative/ or via telephone at: +420 228 881 031.

Alternatively, VeraSafe can be contacted at:

Unit 3D North Point House
North Point Business Park
New Mallow Road
Cork 123AT2P
Ireland

Regulatory Oversight

Keap is subject to the investigatory and enforcement powers of the United States Federal Trade Commission.

Changes to this Privacy Notice

If we make any material change to this Notice, we will post the revised Notice to this web page and update the “Effective on” date above to reflect the date on which the new Notice became effective.