Privacy Policy

First Implemented: October 2014

Last Updated: September 29, 2016

Symphony Privacy Policy

Protecting your privacy is really important to Symphony Communication Services, LLC and its wholly owned subsidiaries, Symphony Communication Services UK Ltd. and Symphony Communication Services Hong Kong Limited (collectively, “Symphony”). With this in mind, we’re providing this Privacy Policy to explain our practices regarding the collection, use and disclosure of information that we receive through our website at www.symphony.com (the “Site”) and our cloud-based communication service which provides a secure, efficient and robust ecosystem for high-valued information exchange (the “Symphony Service” and collectively with the Site, the “Services”). This Privacy Policy does not apply to any third-party websites, services or applications, even if they are accessible through our Services. Also, please note that, unless we define a term in this Privacy Policy, all capitalized terms used in this Privacy Policy have the same meanings as in our Enterprise User Terms and Conditions (applicable if you are using the Services as part of a company that has a Master Services Agreement with Symphony), Business User Terms and Conditions (applicable if you are using the Services as part of a company that has Business Tier Terms and Conditions in place with Symphony (either of the Master Services Agreement or Business Tier Terms and Conditions being referred to herein as an “MSA”)) or End User License Agreement (each being referred to herein as a “EULA”), as applicable. So, please make sure that you have read and understand our EULA.

EU-U.S. Privacy Shield

Symphony Communication Services, LLC complies with the EU-U.S. Privacy Shield Framework (the “Privacy Shield”) as adopted and set forth by the U.S. Department of Commerce and the European Commission regarding the collection, use, retention and transfer of personal data from European Union member countries, as well as from Iceland, Liechtenstein and Norway. Symphony Communication Services, LLC commits to adhere to and has certified that it adheres to the Privacy Shield Principles of notice, choice, accountability for onward transfer, security, data integrity and purpose limitation, access, recourse, enforcement and liability, as well as the Supplemental Privacy Shield Principles, in each case with respect to all PII that Symphony Communication Services, LLC receives in reliance on the EU-U.S. Privacy Shield.

“Personally Identifiable Information” or “PII”, as used in this Privacy Policy, means any data, information, or combination of data and information that is provided by you to Symphony Communication Services, LLC or through your use of the Symphony Services, and which can be used to identify or locate you.

To learn more about the Privacy Shield, and to view Symphony Communication Services, LLC’s certification, please visit https://www.privacyshield.gov and https://www.privacyshield.gov/list, respectively.

U.S.-Swiss Safe Harbor

Symphony Communication Services, LLC complies with the U.S.-Swiss Safe Harbor Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal data from Switzerland. Symphony Communication Services, LLC has certified that it adheres to the Safe Harbor Privacy Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement. To learn more about the Safe Harbor program, and to view Symphony Communication Services, LLC’s certification, please visit http://www.export.gov/safeharbor/.

VeraSafe Privacy Program

VeraSafe. Symphony is a member of the VeraSafe™ Privacy Program, meaning that VeraSafe has assessed Symphony’s data governance for compliance with the VeraSafe Privacy Program Certification Criteria. The certification criteria require that participants maintain a high standard for data privacy and implement specific best practices pertaining to notice, onward transfer, choice, access, data security, data quality, recourse and enforcement.

Data Controller. Symphony is the data processor with respect to any PII which you provide to Symphony when using the Symphony Service, with either you or your firm being deemed the data controller with respect to such PII. Symphony has no intention of further transferring any PII outside of the U.S. once it has been transferred from the EEA or Switzerland.

Complaints and Data Requests. You may at any time submit a complaint, personal data access request or communicate any other issues arising under the Privacy Shield with respect to your use of the Services or Symphony’s processing of your PII to Symphony’s General Counsel at [email protected], or by courier to:

Symphony Communication Services, LLC
1 World Trade Center, Suite 45D
New York, NY 10007
USA
Attn: General Counsel

Our London-based Office Manager, a representative of our UK subsidiary, Symphony Communication Services UK Ltd., may also be used as a point of contact for Europe-based Users. The address of our UK office is

Symphony Communication Services UK Ltd.
1st Floor 4 Lombard Street
London EC3V 9HD

Further, our Head of Sales – APAC, a representative of our Hong Kong subsidiary, Symphony Communication Services Hong Kong Ltd., may also be used as a point of contact for Asia-based Users. The address of our Hong Kong office is

Symphony Communication Services Hong Kong Ltd.
5/F Champion Tower
3 Garden Road
Central
Hong Kong

Symphony will respond promptly to any such complaints or inquiries, within a maximum of four weeks from the date on which we receive such complaint or inquiry.

If a privacy complaint or dispute cannot be resolved through Symphony’s internal process, Symphony has agreed to participate in the VeraSafe Dispute Resolution Procedure. Subject to the terms of the VeraSafe Dispute Resolution Procedure, VeraSafe will provide appropriate recourse free of charge to you. To file a complaint with VeraSafe and participate in the VeraSafe Dispute Resolution Procedure, please submit the required information here: https://www.verasafe.com/dispute-submission.

VeraSafe Privacy Seal

In addition, under certain conditions, you may be entitled to invoke binding arbitration to resolve a complaint or dispute arising under the Privacy Shield.

Regulatory Jurisdiction. The Federal Trade Commission and the relevant EU data protection authorities have jurisdiction to investigate and enforce any issues relating to compliance with or certification to the Privacy Shield. Symphony will cooperate and comply with the dispute resolution panel established by the relevant EU data protection authorities in addition to the VeraSafe Dispute Resolution Procedure.

Revisions to this Privacy Policy

Any information that is collected via our Services is processed in accordance with the Privacy Policy in effect at the time such information is collected. We may revise this Privacy Policy from time to time. We’ll update the “Last Updated” date above to indicate when the Privacy Policy was last materially changed.

If we make any material changes to this Privacy Policy that adversely impact or decrease the privacy and security of Personally Identifiable Information we’ll notify you of those changes by posting them on the Services or, if you are an Authorized User (collectively, “Authorized Users”) of a company that is subject to the terms of an MSA, by sending your company an email or other notification at least 30 days prior to such change taking effect and providing your company with a link to such updated Privacy Policy (or providing you with such updated Privacy Policy promptly upon request).

Collection and Use of Information Collected or Received from You

Our primary goals in collecting information are to provide and improve our Services, to administer your use of the Services (including your Account (as defined below), if you are an Account holder), to respond to your comments and questions, to use your email address or other contact information to send you information related to the Services and to enable you to enjoy and easily navigate our Services. Symphony has implemented and will maintain reasonable security controls to protect the confidentiality, integrity and availability of the PII that Symphony processes.

Account Information. To use the Services, you or your company (as the case may be) will need to create an account (“Account”) for you. If your company opted in for a single sign-on feature, your Account will be accessible through your work login credentials. When an Account is created, we’ll collect certain Personally Identifiable Information that can be used to identify you, such as your name, title, job description, location, email alias, email address and profile photo. We will only use such PII for the purposes of providing the Services to you and your company (as the case may be). We may also collect other information about you which might not be PII, which information will only be used for purposes of providing the Services to you or your company (as the case may be).

If you provide user feedback or contact us via email, we will collect your name and email address as well as any other content included in the email or feedback, in order to send you a reply or in order to improve the Services.

If your Account is created on behalf of your organization, we will also collect certain information about your organization, such as your organization’s corporate name, email address, postal address, phone number and billing information. If you create an Account using your login credentials from one of your Social Networking Service (“SNS”) Accounts (e.g., Facebook®, Twitter®, Google+™ or other social media sites), we’ll be able to access and collect your name and email address and other PII that your privacy settings on the SNS Account permit us to access. If you create an Account through the Services or one of your SNS Accounts, we may also collect your gender, date of birth, zip code and other information. We will only use this information for purposes relating to the provision of the Services to you and improvement of the Services.

Information Collected Using Cookies and Other Web Technologies. Like many website operators, we use automated data collection tools such as Cookies and Web Beacons to collect certain information.

“Cookies” are small text files that are placed on your hard drive by a Web server when you access our Services. We use both session Cookies and persistent Cookies to identify that you’ve accessed the Site, logged in to the Services and to tell us how and when you interact with our Services. We also use Cookies to monitor aggregate usage and web traffic routing on our Services and to customize and improve our Services. Please note, however, that if you don’t accept Cookies, you may not be able to access all portions or features of the Services. When you access our Site, some third-party services providers that we engage may also place their own Cookies on your hard drive. However, third-party service providers may not place their own Cookies on your hard drive when you access the Symphony Service. Note that this Privacy Policy covers only our use of Cookies and does not include use of Cookies by such third parties.

“Web Beacons” (also known as Web bugs, pixel tags or clear GIFs) are tiny graphics with a unique identifier that may be included on our Services for several purposes, including to deliver or communicate with Cookies, to track and measure the performance of our Services and to monitor how many visitors view our Services.

Information Related to Use of the Services. Our servers automatically record certain information about how a person uses our Services (we refer to this information as “Log Data”), including Authorized Users, Account holders and other users (each, a “User”). Log Data may include information such as a User’s Internet Protocol (IP) address, browser type, operating system, the pages or features of our Services to which a User browsed and the time spent on those pages or features, frequency with which our Services are used by a User, search terms, and other statistics. We use Log Data to administer the Services and we analyze (and may engage third parties, who are under an obligation of confidentiality, to analyze) Log Data to improve, customize, and enhance our Services by expanding their features and functionality and tailoring them to our Users’ needs and preferences. All use of your Log Data will be subject to the terms and conditions of the MSA (as applicable), and any use of Log Data by third parties on our behalf will be subject to requirements that such third parties access such Log Data on an unattributed basis (such that the identity of the individual user cannot be ascertained by the third party) and that such third parties maintain the confidentiality and integrity of such Log Data.

Posted Data. When you use the Symphony Services to post, send, or receive messages (including voice or video chat messages) or any other information or text, audio, or video communication exchange posted to Symphony Services, we may store the content of such exchange (“Posted Data”) as necessary to provide the Services.

Information Sent by Your Mobile Device. We collect certain information that your mobile device sends when you use our Services, like a device identifier, user settings, and the operating system of your device, as well as information about your use of our Services. Such information helps us to, and will only be used in order to, improve, customize and enhance our Services.

Location Information. When you use our Services, we may collect and store information about your location by converting your IP address into a rough geo-location or by accessing your mobile device’s location services (including GPS coordinates or coarse location) if you enable location services on your device. We will only use location information to improve and personalize our Services for you. If you do not want us to collect location information, you may disable that feature on your mobile device.

Treatment of PII Following Termination. If you are an individual User who is a natural person, following the termination of your access to or use of the Symphony Services, Symphony will, subject to the requirements of applicable law or any Governmental Authority, upon your request (such request may be sent to [email protected]) promptly destroy any of your PII that Symphony has in its possession. If you are a User who is utilizing the Symphony Services under the auspices your organization’s MSA with Symphony, then following the termination of your organization’s access to or use of the Symphony Services, Symphony will, subject to the requirements of applicable law or any Governmental Authority, return to your organization or promptly destroy any PII it has in its possession, to the extent required by and in accordance with such MSA.

Information that We Share with Third Parties

We will not share any PII that we have collected from or regarding you except as described below, and in the foregoing sections of this Privacy Policy entitled EU-U.S. Privacy Shield & VeraSafe Privacy Program – PII, Collection and Use of Information Collected or Received from You – Information Related to Use of the Services:

Information Shared with Our Services Providers. We may engage third-party services providers to work with us to administer and provide a portion of the Services. Such third parties include those providing customer relationship management software, Internet hosting services, SMS notification services, customer support services and customer support software. These third-party services providers have access to your PII only for the purpose of performing services on our behalf, and in compliance with applicable laws and regulations (including, without limitation, the CAN-SPAM Act of 2003 and the Privacy Shield, as applicable). Such performance may include the processing of PII.

Such third parties will be required to maintain the confidentiality of all PII that they process on our behalf and to implement and maintain reasonable security controls to protect the confidentiality, integrity and availability of such PII. If applicable, Symphony will comply with the terms and conditions of the MSA in effect between Symphony and your organization (as the data controller of your PII) in connection with any such onward transfer of your PII. Any such third-party service provider to whom Symphony transfers PII for processing on behalf of Symphony is also required to only employ staff who have committed themselves to confidentiality or are under a statutory obligation of confidentiality with respect to your PII. Symphony may remain legally accountable for the protection of your PII that we transfer to our third-party service providers.

Symphony will also take reasonable steps to confirm that any such third-party service provider processes such PII in a manner that provides at least the same level of data protection as is provided for by this Privacy Policy and as is required of us pursuant to the MSA in place between Symphony and the data controller. Lastly, Symphony will obligate any such third-party service provider to notify Symphony if such provider becomes unable to satisfy such data protection obligations, and Symphony will take reasonable steps to stop and remediate unauthorized or noncompliant processing by such third-party services provider, upon becoming aware of such processing.

Information Shared with Third Parties. We may collect and share aggregated and de-identified information (such that information cannot be identified as the information of a particular User and will therefore not include PII) with third parties for industry research and analysis, demographic profiling and other similar purposes, and for third-party programs to access the Symphony Service in a manner that extends the Symphony user experience and helps us operate and improve the Symphony Service.

Information Disclosed in Connection with Business Transactions. Information that we collect from our users, including PII, is considered to be a business asset. Thus, if we are acquired by a third party as a result of a transaction such as a merger, acquisition or asset sale or if our assets are acquired by a third party in the event we go out of business or enter bankruptcy, some or all of our assets, including your PII, may be disclosed or transferred to a third-party acquirer in connection with the transaction. The disclosure and transfer of any of your PII to such third-party acquirer will be done in compliance with applicable law and regulation (including but not limited to the Privacy Shield, as the case may be), and only as necessary in order to enable Symphony or the relevant acquiror to continue to perform services to you or your organization.

Information Disclosed for Our Protection and the Protection of Others. We cooperate with government and law enforcement officials or private parties to enforce and comply with the law. We may disclose any of your PII to government or law enforcement officials or private parties as we, in our sole discretion, believe necessary or appropriate: (i) to respond to claims, legal process (including subpoenas), law enforcement requests and national security requests; (ii) to protect our property, rights and safety and the property, rights and safety of a third party or the public in general; and (iii) to stop any activity that we consider illegal, unethical or legally actionable activity. In the event of such disclosure or transfer of your PII to public authorities, Symphony may not be able to require such public authorities to implement and maintain reasonable security controls to protect the confidentiality, integrity and availability of your PII.

Information Shared with Other Users. The information you list about yourself or, if you are an Authorized User of a company that is subject to the terms of an MSA, that is listed on your behalf by the company in your user profile, including, but not limited to, your profile photo, your organization and your name (collectively “Profile Data”), may be published and viewable to other Users in the Symphony directory of Users so that other Users can find you using the “Search” feature in the Services.

Your Choices

We offer you choices regarding the collection, use and sharing of your PII and we’ll respect the choices you make. Please note that if you decide not to provide us with the PII that we request, you may not be able to access or use all of the features of the Services.

Modifying Your Profile Data and Account (for Authorized Users with an Account that is managed by a company administrator). The PII associated with your Account and your Profile Data is managed by your company administrator. You may access, modify, correct, and amend such PII to the extent permitted by your company administrator and your company’s arrangements under the applicable MSA. For questions about how you can manage or restrict your Account and the extent to which you can delete Profile Data please contact the appropriate Symphony representative at your company. To the extent permitted by your company’s MSA, by applicable law, and by your company’s internal retention policy, we and your company (as applicable) will take reasonable steps to delete such information as soon as we can. Some information, including PII contained in your Profile Data, may continue to be held by your company subject to your company’s relevant retention policy, or as otherwise required by law or remain in archived/backup copies for our or your company’s records.

Modifying Your Information (for all other Users). You can request access to, or modification, correction, amendment, and deletion of your PII that Symphony controls. Please contact us at [email protected] with such requests. We will respond to your request as soon as we reasonably can. In cases where we grant your request for deletion, copies of erased information may remain in archived/backup copies for our records, as it is not always possible to delete information from those locations.

Our Policy Toward Children
You must be at least 18 years of age to use the Services. Our Services are not directed to individuals under 18 and we do not knowingly collect PII from individuals under 18. If we learn that we have collected PII of an individual under 18 we will take steps to delete such information from our files as soon as possible.

Conflict
Notwithstanding any other provisions of this Privacy Policy, nothing in this Privacy Policy will be interpreted to expand Symphony’s rights under the privacy and data processing provisions of the applicable MSA. If you are an Authorized User who is using the Services as part of a company that has an MSA with Symphony, in the event of any conflict or inconsistency between the provisions of this Privacy Policy, the MSA and the EULA, the applicable provision of the MSA shall govern. If you are not an Authorized User and are not using the Services as part of a company that has an MSA with Symphony, in the event of any conflict or inconsistency between the provisions of this Privacy Policy and the EULA, the applicable provision of the EULA shall govern.

Questions?
If you have any questions about this Privacy Policy or our treatment of your information, please write to our General Counsel by email at [email protected] or by postal mail at:

Symphony Communication Services, LLC
1 World Trade Center, Suite 45D
New York, NY 10007
USA
Attn: General Counsel