Privacy Policy
First Implemented: October 2014
Last Updated: September 1, 2024
Symphony Communication Services, LLC (“Symphony”), together with its wholly owned subsidiaries—including Cloud9 Technologies, LLC (“Cloud9”), StreetLinx, Inc. (“StreetLinx”), and Amenity Analytics, Inc. (“Amenity”)—strongly believes in protecting the integrity and privacy of your personal information. Unless otherwise specified, Symphony, Cloud9, StreetLinx, and Amenity are collectively referred to as “us”, “our”, or “we.” The individual that accesses our Sites and/or Services is referred to as “you” and “your.”
This Privacy Policy describes how we collect, maintain, use, and share Personal Data and what choices you have with respect to the information. Please read the following carefully to understand our views and practices regarding data collected about you and how we treat it.
Certain sections of this Privacy Policy will apply or be read differently depending on which type of User you are. Under Applicable Data Protection Law, we are deemed to be the Controller for Direct Users and Visitors’ data. The legal basis of our processing is further described at the end of this Privacy Policy. For Authorized Users, your Company is the Controller and we merely act as the Processor and process data on their direction.
This Privacy Policy does not apply to any third-party websites, services, or applications, even if they are accessible through our Services. Additionally, this Privacy Policy should be read in conjunction with the EULA, as defined below, applicable for your particular use of the Services. Please make sure that you have read and understand the EULA. For Symphony Visitors, the applicable EULA is available here. For StreetLinx Authorized Users, the StreetLinx Services are subject to the Terms of Service, available here. For Amenity Authorized Users and Visitors, the Amenity Services are subject to the Terms of Service, available here.
For purposes of the applicable data protection laws, any questions regarding our policies or practices should be directed to our General Counsel at [email protected].
SECTION 1: DEFINITIONS
For ease of reference, certain terms are defined throughout this Privacy Policy. The first reference to any such term is designated in bold. The following terms have the following meanings:
“Applicable Data Protection Law” means any law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding instrument which implements, or which otherwise relates to our Processing of Personal Data.
“Authorized User” is a User (generally an employee) that has been granted access credentials to the Service(s) from their Company pursuant to a Service Agreement between us and the Company.
“Company” is the company or organization that has paid us to use the Services pursuant to a Services Agreement and who has provided the User with access credentials to the Service(s). In most cases, this will be your employer.
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
“Direct User” is a User that has been granted access credentials to the Service(s) directly from us or has been onboarded by another customer of our Services to send and receive communications. For example, if you are using a non-paid version of the Services (whether through the Site, through your mobile phone, as a sponsored institution on the Symphony Community Pod, or otherwise).
“End User License Agreement” (“EULA”) refers to the terms and conditions applicable to your use of the Site and/or Service. The EULA governs your relationship with us.
“Personal Data” refers to any data, information, or combination of information, or combination of data and information that is provided by you or your Company relating to your use of the Sites or Services that relates to an identifiable individual.
“Processor” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.
“Site(s)” refers collectively to the public-facing websites maintained by Symphony, as well as its subsidiaries Cloud9, StreetLinx, and Amenity. This includes www.symphony.com.
“Service(s)” refers collectively to the Sites, cloud-based communication services, voice collaboration services, mobile applications, directory services, analytic services, and any other services provided by us.
“Service Agreement” refers to the contractual agreement providing terms and conditions applicable to your Company’s use of our Service(s). The Service Agreement governs your Company’s relationship with us.
“User” refers to Visitors, Direct Users, and Authorized Users.
“Visitor” refers to individuals that access the Sites.
SECTION 2: INFORMATION WE COLLECT ABOUT YOU
Our primary goals in collecting and using information are to provide and improve our Services, to administer your use of the Services, to respond to your comments and questions, to use your email address or other contact information to send you information related to the Services and to enable you to enjoy and easily navigate our Services. We have implemented and will maintain reasonable security controls to protect the confidentiality, integrity, and availability of the Personal Data that we process.
Visitors: If you are a Visitor, we will collect the following information about you:
- Information Collected Using Cookies and Other Web Technologies. Like many website operators, we use automated data collection tools such as Cookies and Web Beacons to collect certain information about your use of the Sites.
- “Cookies” are small text files that are placed on your device by a Web server when you access our Services. We use both session Cookies and persistent Cookies to identify that you’ve accessed the Services, logged in to the Services and to tell us how and when you interact with our Services. We also use Cookies to monitor aggregate usage and web traffic routing on our Services, to customize and improve our Services, and to deliver relevant content and advertising to you. Please note, however, that if you don’t accept Cookies, you may not be able to access certain portions or features of the Services. When you access our Site, certain third-party services providers that we engage could also place their own Cookies on your device. Note that this Privacy Policy covers only our use of Cookies and does not include use of Cookies by such third parties.
- “Web Beacons” (also known as Web bugs, pixel tags or clear GIFs) are tiny graphics with a unique identifier that could be included on our Services for several purposes, including to deliver or communicate with Cookies, to track and measure the performance of our Services and to monitor how many visitors viewed our Services.
- For more details as to how we use these technologies for the Sites, please refer to our Cookie Policy.
- Other Information. You may choose to provide us with other information by contacting us or by submitting your information through our Services. For example, if you submit your contact information (“Other Information”), such as to request more information about the Services or to register for events or webinars, we will use your contact information to send related communications that may be of interest to you, including information about the Services, promotions, or upcoming events.
Direct Users and Authorized Users. If you are a Direct User or an Authorized User, we will collect and use the following information about you in connection with your use of the Services:
- Account Information. You will need an account to use the Services. When an account is created, we will collect certain Personal Data that can be used to identify you. We may collect the information from you directly (in the case of a Direct User) or from the Company that sets your account (in the case of an Authorized User) (each an “Account”). The information collected may include identification information (e.g., first and last name), employment information (e.g., employer, job title, position, geographic location); contact information (e.g., username and email address); education information (e.g., university); location information (e.g., IP address); a profile picture; and investment focus areas We will only use such data for the purposes of providing the Services to you and, if applicable, your Company.
- Other Information. If you provide user feedback or contact us for user support, we will collect your name and email address as well as any other content included in your communication, in order to send you a reply or in order to improve the Services.
- Information Related to Use of the Services. We collect certain information about how our Services are used (we refer to this information as “Usage Data”). Usage Data could include information such as a User’s Internet Protocol (“IP”) address, browser type, operating system, a User’s interactions and/or activities within the Services, including the pages or features of our Services to which a User browsed, the time spent on those pages or features, frequency with which our Services and its features are used by a User, search terms, and other statistics. We use Usage Data to administer the Services and we analyze (and could engage third parties, who are under an obligation of confidentiality, to analyze) Usage Data to improve, customize, and enhance our Services. For Authorized Users, all use of your Usage Data will be subject to the terms and conditions of the Service Agreement between us and your Company (as applicable). Any use of Usage Data by third parties on our behalf will be subject to requirements that such third parties access such Usage Data on an unattributed basis (such that the identity of the individual User cannot be ascertained by the third party) and that such third parties maintain the confidentiality and integrity of such Usage Data.
- Posted Data. When you use services to post, send, or receive messages (including voice or video chat messages), files or any other information or text, audio, or video communication exchange posted to the Services, we will transmit and store the content of such exchange (“Posted Data”) as necessary to provide the Services.
- Voice Recordings. We may store recordings of all voice communications made through the Services as well as associated information about those communications, such as when placed, by whom, and how long they lasted.
- Information Sent by Your Device. We may collect certain information that your device may send when you use our Services, like a device identifier, user settings, and the operating system of your device, as well as information about your use of our Services. Such information helps us to, and will only be used in order to improve, customize, and enhance our Services.
- Location Information. When you use our Services and you enable location services on your device, we will collect and store information about your location by converting your IP address into a rough geo-location or by accessing your device’s location services (including GPS coordinates or coarse location). We will only use location information to improve and personalize our Services for you. How much of this information we collect depends on the type and settings of the device you use to access the Services.
Please note that if you decide not to provide us with the Personal Data that we or the Services request, you will not be able to access or use certain features of the Services.
SECTION 3: HOW LONG WE KEEP YOUR INFORMATION
Following your termination of Services, we will retain Personal Data as follows:
- Authorized Users. If you are an Authorized User, we will retain your Personal Data in accordance with your Company’s instructions, including any applicable terms in the Service Agreement, and subject to the requirements of applicable law.
- Visitors & Direct Users. We will retain your Personal Data for the period necessary to fulfill the purposes described in this Privacy Policy unless a longer retention period is required or permitted by law.
SECTION 4: WHO WE MAY GIVE YOUR INFORMATION TO
We will not share any Personal Data that we have collected from or regarding you except as described below, and in the sections of this Privacy Policy entitled “Where We Store Your Information and International Transfers” and “Information We Collect About You.”
Below is an explanation of who we may give your information to and for what purpose:
- We may disclose to others in our group
We may give your information to any of our subsidiaries or our ultimate holding company and its subsidiaries, who support our processing of Personal Data under this Privacy Policy.
- We may disclose to our service providers
We engage certain third-party services providers to work with us to administer and provide a portion of the Services. Such third parties include, but are not limited to:
- customer relationship management software providers, including Salesforce, headquartered in the US, which process your Personal Data globally, in order to assist us in providing the Services and contacting you;
- internet hosting and cloud service provider services, such as Amazon Web Services and Google Cloud Platform, headquartered in the US, which process certain Personal Data globally and enable us to offer a Software as a Service (“SaaS”) platform;
- distributors, shipping, and logistics companies to fulfill orders and ensure delivery of packages;
- customer support services and software providers, headquartered in the US and which process certain Personal Data globally, which allow us to deal with any service issues that Users may face and respond quickly to any questions about our Services;
- business analytics and billing service providers, headquartered in the US and which process your Personal Data in the US, which allow us to provide the Services to you and better understand how the Services are used; and
- software engineering service provider, headquartered in Vietnam, which allows us to efficiently build and maintain our platform.
Symphony is accountable for Personal Data that we receive and transfer to third parties (i.e., onward transfers). Accordingly, Symphony requires that these third-party services providers access and use Personal Data only for the purpose of performing services on our behalf, and in compliance with applicable laws and regulations (including, without limitation, the CAN-SPAM Act of 2003, the EU General Data Protection Regulation (“GDPR”) and the EU-US Data Privacy Framework Principles, as applicable). Such performance can include the processing of Personal Data, provided that in the case of Symphony Services, no such third-party service provider has access to your unencrypted Posted Data.
Such third parties will be required to maintain the confidentiality of all Personal Data that they process on our behalf and to implement and maintain reasonable security controls to protect the confidentiality, integrity, and availability of such Personal Data. For Authorized Users, we will comply with the terms and conditions of the Service Agreement in effect between us and your Company (who is the Controller of your Personal Data) in connection with any such onward transfer of your Personal Data. Any such service provider to whom we transfer Personal Data for processing on behalf of us is also required to only employ staff who have committed themselves to confidentiality or are under a statutory obligation of confidentiality with respect to your Personal Data.
We will take reasonable steps to confirm that any such service provider processes such Personal Data in a manner that provides at least the same level of data protection as is provided for by this Privacy Policy and, for Authorized Users, as is required of us pursuant to the Service Agreement in place between us and your Company. Lastly, we will obligate any such third-party service provider to notify us if such provider becomes unable to satisfy such data protection obligations, and we will take reasonable steps to stop and remediate unauthorized or noncompliant processing by such service provider, upon becoming aware of such processing.
- We may disclose to third parties to improve user experience
We may collect and share aggregated and de-identified information with third parties for industry research and analysis, demographic profiling and other similar purposes, and for third-party programs to access the Services in a manner that extends the user experience and helps us operate and improve the Services.
- We may disclose to third parties if we sell our business
Information that we collect from our Users, including Personal Data, is considered to be a business asset. Thus, if we are acquired by a third party as a result of a transaction such as a merger, acquisition or asset sale or if our assets are acquired by a third party in the event we go out of business or enter bankruptcy, some or all of our assets, including your Personal Data, will be disclosed or transferred to a third-party acquirer in connection with the transaction. The disclosure and transfer of any of your Personal Data to such third-party acquirer will be done in compliance with applicable law and regulation (including but not limited to the GDPR and the EU-US Data Privacy Framework Principles, as the case may be), and only as necessary in order to enable us or the relevant acquiror to continue to perform services to you or your Company.
- We may disclose to third parties where required by law, or in order to protect the rights, property, and safety of our company and our customers
We cooperate with government and law enforcement officials or private parties to enforce and comply with the law. In certain circumstances, we may disclose any of your Personal Data to government or law enforcement officials or private parties as we, in our sole discretion, believe necessary or appropriate: (i) to respond to claims, legal process (including subpoenas), law enforcement requests and national security requests; (ii) to protect the property, rights and safety of Symphony and its affiliates, our customers, and others; and (iii) to stop any activity that we consider illegal, unethical or legally actionable activity. In the event of such disclosure or transfer of your Personal Data to public authorities, there is a chance that we will not be able to require such public authorities to implement and maintain reasonable security controls to protect the confidentiality, integrity, and availability of your Personal Data.
- We may disclose to other Users
For Direct Users and Authorized Users of the Services, the information that is listed in your user profile, including, but not limited to, your profile photo, your Company and your name, will be published and viewable by other Users in our directory of Users so that other Users of our Services can connect with and contact you.
SECTION 5: OUR PROMOTIONAL UPDATES AND COMMUNICATIONS
Where permitted in our legitimate interest or with your prior consent where required by law, we may use your Personal Data for marketing analysis and to provide you with promotional update communications by email and social media platforms about our products/services. You can object to further marketing at any time by selecting the “unsubscribe” link at the end of all our marketing and promotional update communications to you, or by sending us an email at [email protected].
SECTION 6: WHERE WE STORE YOUR INFORMATION AND INTERNATIONAL TRANSERFERS
We are headquartered in the U.S. with offices and servers located in the U.S., among other places. We may store and process information on servers and equipment in other countries depending on a variety of factors, including the location of our Users and service providers and the demands of local law. We will use appropriate technical and organizational security measures to try to protect your Personal Data from loss, misuse, alteration, or destruction.
When we transfer Personal Data from the European Economic Area (“EEA”), the UK, or Switzerland to other countries, we make sure that such Personal Data is sent with appropriate safeguards, including the following:
- Data Privacy Framework: Symphony complies with the EU-US Data Privacy Framework (EU-US DPF), the UK Extension of the EU-US DPF, and the Swiss-US Data Privacy Framework (Swiss-US DPF) as set forth by the US Department of Commerce. Symphony has certified to the US Department of Commerce that it adheres to the EU-US Data Privacy Framework Principles (EU-US DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-US DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-US DPF. Symphony has certified to the US Department of Commerce that it adheres to the Swiss-US Data Privacy Framework Principles (Swiss-US DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-US DPF. If there is any conflict between the terms in this Privacy Policy and the EU-US DPF Principles and/or the Swiss-US DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/
- Model Clauses: In addition, we may execute model contractual clauses applicable to the transfer of Personal Data. For transfers from the EEA, we may utilize the European Commission’s model clauses, also known as the Standard Contractual Clauses, to ensure an adequate level of protection for the transfer of Personal Data to third countries such as the U.S. For transfers from the UK, we may utilize the UK’s International Data Transfer Agreement and/or Addendum.
Our data processing activities may be subject to the regulatory oversight of various applicable data protection authorities in the jurisdictions in which we operate or process data. In addition, the Federal Trade Commission has jurisdiction over Symphony’s compliance with the EU-US Data Privacy Framework (EU-US DPF) and the UK Extension to the EU-US DPF, and the Swiss-US Data Privacy Framework (Swiss-US DPF).
SECTION 7: YOUR RIGHTS
Users in EU, UK, Switzerland, and other Countries with equivalent laws
Data protection laws in a number of jurisdictions globally recognize data subjects have certain access rights to their data. If you are a User located in a country with such data subject access rights (e.g., a country within the European Economic Area, the UK, or Switzerland), depending on whether you are a Visitor, a Direct User, or an Authorized User, we will offer you certain choices regarding the collection, use and sharing of your Personal Data.
Authorized Users: If you are an Authorized User, the Personal Data associated with your Account is managed by your Company’s administrator. We can only act on the instructions of your Company, so you must contact them directly to exercise any rights over your Personal Data.
Visitors and Direct Users: If you are a Visitor or a Direct User, you have specific rights over the Personal Data that we control which you can exercise in specific circumstances, such as:
- Access: to know whether we process Personal Data about you, to access that Personal Data and find out how we use it and who we share it with;
- Portability: to receive a subset of the Personal Data we collect from you in a structured, commonly-used and machine-readable format, and to request that we transfer such Personal Data to another party.
- Correction: to require us to correct Personal Data about you that is accurate or incomplete;
- Erasure: to request that we erase Personal Data we hold about you in certain circumstances. Note that in cases where we grant your request for deletion, copies of erased Personal Data could remain in archived/backup copies for our records, as we are not always able to delete information from those locations;
- Restriction: to require us to stop processing the Personal Data we hold about you other than for storage purposes in certain circumstances; and
- Objection: to object to our processing of Personal Data about you and we will consider your request.
Please contact us at [email protected] with such requests. We will respond to your request as soon as we reasonably can and we will attempt to respond to all requests within 30 days of verifying your identity.
- Users in California
If you are a California resident, please refer to our Supplemental Privacy Notice for California Residents.
SECTION 8: CHILD SAFETY
The Services maintained by us are intended for use by adults, primarily in their business or professional capacities. Our Services are not directed to individuals under the age of 18 and we do not knowingly collect information from individuals under the age of 18. If we learn that we have collected Personal Data on an individual under 18, we will take appropriate steps to delete such information from our systems.
SECTION 9: CONFLICT BETWEEN THIS POLICY AND OTHER AGREEMENTS
Notwithstanding any other provisions of this Privacy Policy, nothing in this Privacy Policy will be interpreted to expand our rights under the privacy and data processing provisions of any agreement applicable to you, and specifically:
- Authorized Users: If you are an Authorized User in the event of any conflict or inconsistency between the provisions of this Privacy Policy, the EULA, and the Service Agreement with your Company, the applicable provision of the Service Agreement shall govern.
- Direct Users: If you are a Direct User, in the event of any conflict or inconsistency between the provisions of this Privacy Policy and the EULA, the applicable provision of the EULA shall govern.
- Visitors: If you are a Visitor, in the event of any conflict or inconsistency between the provisions of this Privacy Policy and the Terms of Service governing use of the Site, the applicable provision of this Privacy Policy shall govern.
SECTION 10: REVISIONS TO THIS POLICY
Any Personal Data that is collected via our Services is processed in accordance with the Privacy Policy in effect at the time such information is collected. We could revise this Privacy Policy from time to time. We will update the “Last Updated” date above to indicate when the Privacy Policy was last materially changed.
If we make any material changes to this Privacy Policy that adversely impact or decrease the privacy and security of Personal Data we will notify you as follows:
- Authorized Users: We will send your Company a notification at least 30 days prior to such change taking effect and provide your Company with a link to such updated Privacy Policy so they can notify you, and we will update the Site.
- Visitors and Direct Users: We will update the Site and comply with any notification requirements under applicable law.
SECTION 11: CONTACT US; QUESTIONS AND COMPLAINTS
Questions
If you have any questions about this Privacy Policy or our treatment of your information, please write to our General Counsel by email at [email protected] or by postal mail at:
Symphony Communication Services, LLC
565 5th Avenue, 18th Floor
New York, NY 10017
USA
Attn: General Counsel
Complaints and Data Requests
For the purposes of EU data protection laws, our representative in the EU is Symphony Communication Services Sweden AB, registered at c/o Head Office, Vasagatan 28, 111 20 Stockholm, Sweden with the contact email address [email protected].
For the purpose of the Data Privacy Frameworks, you can at any time submit a complaint, personal data access request or communicate any other issues arising under the Data Privacy Framework with respect to your use of the Services or our processing of your Personal Data to Symphony’s General Counsel at [email protected], or by courier to:
Symphony Communication Services, LLC
565 5th Ave, 18th Floor
New York, NY 10017
USA
Our London-based Office Manager, a representative of our UK subsidiary, Symphony Communication Services UK Ltd., can also be used as a point of contact for Europe-based and UK-based Users. The address of our UK office is:
Symphony Communication Services UK Ltd.
US&Co Monument
135 Bishopsgate
12th floor
London, EC2M 3TP
Our Head of Sales – APAC, can also be used as a point of contact for Asia-based Users. The address of our Singapore office is:
Singapore Communication Services Singapore Pte. Ltd.
8 Marina Blvd
Level 11
Marina Bay Financial Centre Tower 1
Singapore 018981
Dispute Resolution
We encourage you to first raise any complaints or inquiries with respect to our processing of Personal Data with our General Counsel, who may be reached by email at [email protected]. We will respond promptly to any such complaints or inquiries, within one month from the date on which we receive such complaint or inquiry and have verified your identity. This is without prejudice to your right to launch a complaint with the data protection authority in the UK, Switzerland, or in the EEA country in which you live or work.
In compliance with the EU-US DPF and the UK Extension of the EU-US DPF and the Swiss-US DPF, Symphony commits to cooperate and comply with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Gibraltar Regulatory Authority (GRA) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-US DPF and the Swiss-US DPF.
In addition, under certain conditions, you could be entitled to invoke binding arbitration for complaints regarding compliance with the EU-US Data Privacy Framework (EU-US DPF), the UK Extension to the EU-US DPF, and the Swiss-US Data Privacy Framework (Swiss-US DPF) that are not resolve by any of the other mechanisms listed above. For additional information on arbitration, review the following link.
Legal Basis Table (see Section 2 for further information)
Please note that this table is only for Visitors and Direct Users and applies where we are the Controller. For Authorized Users, please contact your Company for information about its legal basis of processing.
Data Field | Data Field Processing Purpose | Legal Basis |
---|---|---|
Account Information |
|
|
Other Information (as defined above) |
|
|
Information collected using cookies and other web technologies |
|
|
Usage Data |
|
|
Posted Data |
|
|
Information sent by your mobile device |
|
|
Location information |
|
|