Policies

This SparkPost Privacy Policy (the “Privacy Policy”) applies to the SparkPost service, which includes the sending of digital messages and related digital messaging services (the “Services”) offered by Message Systems, Inc., d/b/a SparkPost, a Delaware corporation, (“SparkPost,” “we,” ‘”us” or “our”) to any individual, organization, business entity, and/or user (“you” or “your”), through the website SparkPost.com or any other websites or mobile applications (collectively, the “Site”) that reference or link to this Privacy Policy.  SparkPost is committed to: (1) protecting the privacy of data that we process or store relating to your use of the Site and/or Services; (2) maintaining the integrity of the data we collect from you; and (3) complying with our legal obligations with respect to such data and information.  By using the Site and/or the Services, you consent to our collection, use and disclosure of information, and our processing of your data, as described in this Privacy Policy.

We collect personal information (“personally identifiable information“ or “PII”) about users of the Site and/or Services.  In general, that means we collect PII about you when you provide it to us for the reason you provided it to us.  The other instances in which we may collect and use PII are described below.

We may collect PII when you do any of the following:

• register as a user of the Site and/or the Services;
• use the Services to send email or other digital messages;
• use the Site to communicate with or otherwise interact with other users, our staff, or other persons who are permitted to interact with and use the Site (such as support personnel or services);
• participate in any contests, sweepstakes, surveys, user panels, focus groups or other interactive services on or related to the Site;
• visit or participate in forums or other discussions that we host or provide; or
• submit your contact information to us for the purpose of being contacted regarding our Services and for us to provide customer support.

We may collect the following PII:

• your contact information (e.g., your name, physical address, mailing address, email address, digital message address, and phone and fax numbers);
• your billing information (e.g., credit card information, billing address, etc.);
• your demographic and survey information (e.g., job function, title, topics of interest, purchase interest level, survey responses, and information solicited through online registration forms);
• your history as our customer (e.g., your order(s), payment history, Site and Services usage, promotional history, inquiries, and responses); and
• all content posted in public areas (e.g. online forum posts, comments on blog posts, articles, or other content on community areas, etc.).  NOTICE:  In order to maintain standards for online conduct in public areas we provide and/or sponsor, we may remove or appropriately edit/redact an inappropriate posting when we find it.

We may use your PII in the following ways:

• to respond to your inquiries and fulfill your requests, such as to send you newsletters, reports, or other communications;
• to send administrative information to you, for example, information regarding the Services and changes to our terms, conditions, and policies as well as notice regarding compliance actions we may take;
• to complete and fulfill your subscription purchase, for example, to process your payments, communicate with you regarding your subscription purchase and provide you with related customer service or technical support;
• to send you marketing communications that we believe may be of interest to you (including announcements about new services or products, featured editorial content, co-sponsored products, events, special sales and promotions, and more);
• to personalize your experience with the Services by presenting products and offers tailored to you;
• to allow you to participate in sweepstakes, contests and similar promotions and to administer these activities.  Some of these activities have additional rules, which could contain additional information about how we use and disclose your PII, so we suggest that you read these rules carefully;
• to facilitate social sharing functionality;
• to allow you to send messages through the Services.  By using this functionality, you are telling us that you are entitled to use and provide us with your recipients’ name and email address or other digital sending and receiving address; and
• for our business purposes, such as data analysis, audits, fraud monitoring and prevention, development of new products, enhancing, improving or modifying our Services, identifying usage trends, determining effectiveness of our promotional campaigns and operating and expending our business activities.

We may disclose your PII to the following:

• to our affiliates: (i) Message Systems EMEA Limited, a private company limited by shares registered in England and Wales; (ii) Message Systems, Pte. Ltd., a private limited company organized under the laws of Singapore; and (iii) Port 25 Solutions, Inc. a Maryland corporation; in each case for the purposes described in this Privacy Policy.  Message Systems, Inc., a Delaware corporation, is the party responsible for the management of the jointly-used PII;
• to our third-party contractors who maintain the Site and assist us with providing the Services.  Such contractors who may have access to your PII include providers of services, such as website hosting, server hosting, data analysis, payment processing, subscription entitlement management, order fulfillment, information technology and related infrastructure provision, customer service, email delivery, credit card processing, auditing, content scanning and other similar services.  They are permitted to access and use your PII solely and exclusively in performance of their duties to us or to comply with applicable laws, and they owe us either direct employment duties, or they have signed confidentiality agreements, such that they are obligated to keep your PII confidential; and
• to our partners and sponsors.  Many of our products and offerings, including events, are offered in connection with other companies who are partners or sponsors.  When you register for these activities, the names of any partners and sponsors will be clearly visible.  We may maintain the PII you provide when you register for these sponsored programs and we may share it with our partners and sponsors.  They may use the information in accordance with their own privacy policies.  If you have concerns about how they may use the information you provide, please refer to each partner or sponsor’s privacy policy.  Unlike other disclosures of information, you cannot opt-out of contacts from partners and sponsors through us.  You must contact the partners or sponsors directly.

We may also disclose your PII in the following circumstances:

• Audits and Business Operation.  We are subject to various audits by accountants, clients, and government regulators.  In the course of such audits, such auditors may come into contact with PII.  Where possible, we require such auditors to keep confidential and not disclose PII consistent with law.  In certain governmental audits, we may not be able to require such confidentiality.  In addition, we may disclose PII to our attorneys as may be required to obtain legal advice about our and your legal rights and obligations.
• Government and Litigation Requests.  We reserve the right to use or disclose PII in connection with: (i) legal proceedings or preparations therefore; (ii) to respond to judicial or other government process such as court orders, subpoenas, requests for discovery and similar litigation relation requirements; (iii) to provide information to law enforcement agencies or for an investigation on a matter related to public safety; and (iv) in general to comply with applicable laws, government requests and court orders.  We may elect to make these disclosures even if we have not received a subpoena, if we believe in good faith that we have a legal obligation to do so, or if we believe that our failure to do so may result in liability to us, or a violation of law.  If we receive a subpoena or other legal demand for your PII, we may endeavor to notify you of the subpoena or demand by contacting you at the current email address that we have for you.  However, we cannot promise that we will always be able to send you a notice, that we will attempt to contact you if the email we send fails to get to you, that we will be able to send you the notice before we turn over your information, or that we will resist the request.  Unless prohibited by applicable law or other obligations we owe you, we retain the right to impose upon you a reasonable charge for certain requests for your information or data.
• Change of Control.  If we were to undergo a merger, acquisition, corporate reorganization or recapitalization, divestiture, sale of substantially all of our assets, bankruptcy, or other change in control (in each case which may be in respect of the division that administers the Site or the Services, and not necessarily the entire company), PII may be used or disclosed in connection with those activities, which may include the entire transfer of our database of PII to such successor or assignee entity.

We will retain your PII only for the period necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by applicable law.

For PII that is subject to the European Commission’s Directive on Data Protection (“EU-PII”), we have committed and have certified to handling such information in accordance with the U.S. – E.U. Privacy Shield Policies as promulgated by the U.S. Department of Commerce.  Our disclosures, notices and obligations under Privacy Shield are set forth in the Privacy Shield portion of the Privacy Policy (available at:http://www.sparkpost.com/policies/privacy/privacyshield), which is incorporated herein by reference with regard to EU-PII.  The provisions of the Privacy Shield portion of our Privacy Policy apply only to EU-PII obtained by us from persons who are residents of countries other than the United States that reside in a jurisdiction that has adopted the Privacy Shield framework (i.e. the Privacy Shield portion of this Privacy Policy does not apply to residents of the United States).

We apply different types of cookies and other similar technologies on the Site.  Cookies are a standard feature of websites that allow us to store small amounts of data on your computer about you or your visit to the Site.  Cookies help us to learn which areas of the Site are useful and which areas need of improvement; they also help make your use of the Site more responsive.  The list of cookies, which we apply on the Site can be found on the Cookie List portion of our Privacy Policy (available at: http://www.sparkpost.com/policies/privacy/cookies). We will update this list, from time to time, as we change applicable cookies and third party sites that we use.

We use the information collected by cookies in the following ways:

• to deliver, improve and develop services.  We may use anonymous information that we gather to provide and improve the Services and/or the Site for all of our users, and to help us develop and implement other services and products in the future.  For example, drawing from a large pool of anonymous data regarding the success of our Services to deliver messages may allow our Services to improve deliverability success for all of our users.
• to advertise our services.  We may use anonymous information we gather to advertise the performance and other value derived from the use of our Services.
• to write data-supported articles related to best-practices and other literature regarding messaging.

You may choose to accept or reject cookies from the Site at any time by activating the applicable settings on your Internet browser.  Information about the procedures to follow in order to enable or disable cookies can be found on your Internet browser provider’s website.  You may wish to refer to http://www.allaboutcookies.org/manage-cookies/index.html for information on commonly used browsers.  Please be aware that if cookies are disabled, not all features of the Site may operate as intended.  For more information on cookies, you can visit the US Federal Trade Commission’s website at: https://www.ftc.gov/site-information/privacy-policy/internet-cookies.  Please note that we do not support or endorse any of the products or services listed at such websites.

The Site is not intended for use by minors (natural persons under the age of 18).  We do not knowingly solicit data online from, or market online to, anyone under the age of 18.  If we learn that we have obtained personally identifiable information online in error about anyone under the age of 18, we will delete that information as soon as we can.  We encourage parents to supervise their children so that they do not disclose any PII about themselves in any of our public discussion areas.  We cannot prevent minors from visiting the Site.  We must rely on parents, guardians and those responsible for supervising anyone under the age of 18 to decide which materials are appropriate for such children to view and/or purchase.  Pursuant to 47 U.S.C. Section 230(d), as amended, we hereby notify you that parental control protections (such as computer hardware, software or filtering services) are commercially available that may assist you in limiting access to material that is harmful to minors.  Information identifying current providers of such protections is available at the US Federal Trade Commission’s OnGuard Online website at: http://onguardonline.gov/.  Please note that we do not support or endorse any of the products or services listed at such websites.

Message Systems, Inc., d/b/a SparkPost is responsible for writing this policy and for its compliance with it.  The person who is primarily responsible for our oversight and compliance with this policy is the Privacy Officer.  Anyone who has a question, comment, or complaint about this policy should contact the Privacy Officer:

Privacy Officer
privacy@sparkpost.com

A request should include sufficient contact information, such as name, address, telephone number, and email address.  We promise to make a good faith attempt to resolve any complaint or problem you bring to our attention.

Your continued use of the Site, and/or the Services constitutes your acceptance of this Privacy Policy, including any changes, unless you elect to terminate such use and opt-out of communications.  We do not expect to change our respect for your wishes and your privacy.  However, new laws, new products and services, and changes to our business operations and/or structure could require changes to our policy.  We expect that any policy changes will be consistent with Privacy Shield standards (to the extent they apply) and other legal requirements.  We may modify this policy prospectively at any time by posting the revised version on the Site or sending you a copy of the modified document through other reasonable means.  Your continued use of the Services will be considered acceptance of any such modification.  All modifications to this policy will be effective immediately upon posting, unless otherwise noted by us.

**Ver 2.0 August 26, 2016

The categories of cookies we apply are described below:

• Essential Cookies. these cookies enable you to navigate the Site and to use the Services or features.  Without these absolutely necessary cookies, the Site may not perform as smoothly for you as we would like it to and we may not be able to provide the Site or certain Services or features.
• Preference Cookies. these cookies collect information about your choices and preferences, and allow us to remember language or other local settings and customize the Site accordingly.
• Social Media Cookies. these cookies collect information about your social media usage.  These cookies collect information about your activities on social media sites to provide you relevant content.
• Analytics Cookies. these cookies collect information about your use of the Site, and enable us to improve the way it works.  For example, analytics cookies show us which are the most frequently visited pages on the Site, help us record any difficulties you have with the Site, and show us whether our marketing is effective or not.  This allows us to see the overall patterns of usage on the Site, rather than the usage of a single person.  We use the information to analyze the Site traffic, but we do not examine this information for individually identifying information.
• Advertising Cookies. these cookies are set to display targeted promotions or advertisements based upon your interests on the Site or to manage our advertising.  These cookies collect information about your activities on this and other sites to provide you targeted advertising.

The following is a list of cookies that we use and a brief description of them:

**Ver. 1.2 August 26, 2016

The provisions in this portion of our Privacy Policy apply only to EU-PII obtained from persons who are residents of countries other than the United States that reside in a jurisdiction that has adopted the Privacy Shield framework (i.e. this portion of the privacy policy does not apply to residents of the United States).

We hereby state:

1. We agree to participate in, and adhere to, the U.S. – E.U. Privacy Shield Principles, which are detailed at: http://www.privacyshield.gov as well as the Privacy Shield Supplemental Principles and the Privacy Shield Annex set out in that link (collectively the “Principles“).  We further disclose that the full list of the organizations participating in U.S. – E.U. Privacy Shield is available at: https://www.privacyshield.gov/list.  This Privacy Shield portion of the Privacy Policy is designed to be compliant with the Principles; to the extent it is not compliant, then this Privacy Shield portion of the Privacy Policy shall be deemed to be modified to the extent required to be, and construed to be, consistent and in compliance with the Principles;
2. We collect the types of personal data disclosed in the section entitled “Personally Identifiable Information” of our Privacy Policy and all of our affiliated entities, namely: (i) Message Systems EMEA Limited, a private company limited by shares registered in England and Wales; (ii) Message Systems, Pte. Ltd., a private limited company organized under the laws of Singapore; and (iii) Port 25 Solutions, Inc. a Maryland corporation (collectively our “Affiliates“), also agree to adhere to the Principles;
3. Our commitment to be subject to the Principles in regards to all EU-PII received in reliance of the Privacy Shield;
4. The purposes for which we collect and use EU-PII is stated in the section entitled “Personally Identifiable Information” in the Privacy Policy (available at: http://www.sparkpost.com/policies/privacy);
5. You may contact us (including any of our Affiliates) with any inquiries or complaints as follows:SparkPost
   Message Systems, Inc.
   9130 Guilford Road
   Columbia, MD 21046
   USA
   c/o Privacy Officer

   or via email:
   privacy@sparkpost.com with the subject “PRIVACY INQUIRY”

   A request should include sufficient identifying information, such as name, address, telephone number, and email address.  We may request additional authentication and verification information from you, including residency verification. HOWEVER, PLEASE DO NOT INCLUDE ANY OTHER PII OR OTHER SENSITIVE INFORMATION IN ANY EMAIL SENT TO US.  EMAIL IS INHERENTLY INSECURE AND WE DO NOT GUARANTEE ANY PROTECTION OF EMAIL SENT TO US THAT CONTAINS PII OR OTHER SENSITIVE INFORMATION.

   If you are not satisfied with the response of the Privacy Officer, you can appeal to our General Counsel by sending a written letter to:

   SparkPost
   Message Systems, Inc.
   9130 Guilford Rd.
   Columbia, Maryland 21046
   USA
   c/o General Counsel

   or via email:
   legal@sparkpost.com with the subject “PRIVACY APPEAL”

6. The type and, where applicable, identity of third parties to which we disclose personal information and the purposes for which we do so is set forth in the section entitled “Personally Identifiable Information” in the Privacy Policy (available at: http://www.sparkpost.com/policies/privacy);
7. Individuals have a right to access their personal data, as described more fully below in the section entitled “ACCESS;”
8. Individuals have the choices and means for limiting the use and disclosure of their personal data, as described more fully below in the section entitled “CHOICES;”
9. We have selected JAMS, https://www.jamsadr.com/eu-us- privacy-shield, as the independent dispute resolution body (the “Arbiter“) designated to address your complaints and provide appropriate recourse to you free of charge.  JAMS is an alternative dispute resolution provider based in the United States.  An individual who decides to invoke this arbitration option must first, prior to initiating an arbitration claim, raise the claimed violation directly with us and afford us an opportunity to resolve the issue within the timeframe set forth in the Principles. If you have exhausted all other means to resolve your concern regarding a potential violation of our obligations under the Principles, you may invoke binding arbitration before the Privacy Shield Panel. For additional information about the arbitration process please visit the Privacy Shield website atwww.privacyshield.gov;
10. We are subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC) and other United States governmental agencies;
11. We are required to disclose your personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements; and
12. We are liable in cases of onward transfers of your personal information to third parties, as discussed more fully below in the section entitled “ACCOUNTABILITY FOR ONWARD TRANSFER.”

In connection with the above we make the following additional statements and commitments:

We encourage users to keep their contact information up to date. If we maintain information about you covered by this Privacy Shield portion of the Privacy Policy, we will provide you with access, correction and deletion rights in line with applicable legal requirements of the Principles.

We may also maintain publicly available or restricted information (i.e. information shared with a limited set of people such as “friend-only” content) that you have posted.  In some cases, we may permit you to modify that information, but in other cases, we may prohibit modification and either allow you to select a configurable option to make the information publicly unavailable via privacy settings or to change the types of people who can review such information.  Examples of instances where we may prevent modification:  (i) where we have received a notice that such content infringes a third party’s rights; (ii) where we have received a “litigation hold” letter; (iii) where we believe we owe a legal duty to retain the original posting; (iv) where a law enforcement officer demands we preserve our records and; (v) in other similar types of circumstances.

Anyone seeking to know if we have information about them under Privacy Shield or applicable law or who wants access to (or a copy of) his or her personal data can make a request in writing as provided in the section entitled “NOTICE” above.

We will not normally charge you to inspect or receive a copy of the information we maintain about you.  We reserve the right, however, to impose reasonable charges for requests that are very detailed, and for repeated requests and to deny or ignore requests we deem to be harassing.  If we receive a subpoena or other similar court order or government request relating specifically to your information, we reserve the right to impose on you reasonable charges for responding to such request, unless prevented from doing so by applicable law.

A request for correction should identify the contested information; should state whether the information is incorrect, inaccurate, or incomplete; and should state what information should appear in place of the contested information.

In compliance with applicable laws, we may elect to provide some or all of the PII you requested via electronic means, or to provide an electronic view of your data that we retain.

We do not permit modification of anonymous data, or transactional data for payment transactions, support requests or other relationship related communications, nor may you modify data that is generated merely by operation of your interaction with us, such as tracking, Site use or other similar types of automatically collected information.

Except as noted below, we offer individuals the opportunity to choose (opt out) whether their personal information is: (i) to be disclosed to a third party; or (ii) to be used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by the individuals.  We provide clear, conspicuous, and readily available mechanisms to exercise this choice on the site.

We note that we do not provide the above opt out choice when disclosure is made to a third party that is acting as an agent to perform task(s) on behalf of and under the instructions of the organization, where we have entered into a contract with such agent.

With respect to sensitive information (i.e., personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual), which we do not collect, but if we ever do collect such information, we will obtain affirmative express consent (opt in) from individuals if such information is to be: (i) disclosed to a third party; or (ii) used for a purpose other than those for which it was originally collected or subsequently authorized by the individuals through the exercise of opt-in choice.  We will also treat as sensitive any personal information received from a third party where the third party identifies and treats it as sensitive.

Subject to the next paragraph of this Section, we offer users the opportunity to opt out of being contacted by us.  All promotional and research email messages you receive from us will include an option to opt out of future email communications from the particular business unit that contacted you.  In addition, you may use technological tools to block or restrict automated data collection we perform, as disclosed in the section entitled “Cookies” in the Privacy Policy.  As disclosed there, blocking some automated data collection tools we use will impair or in some cases prevent the functionality of our site.

Exceptions:  Users cannot opt-out of some data collection and data use and disclosure of information, for example opt-outs do not affect our use of personal information to communicate with you on Services related issues (for example, notices of changes to our Terms of Use or this policy, or notices regarding Services unavailability) and in internal management or the disclosure of personal information to third parties who are our agents and that have a reasonable need to know of or use the information to assist us in providing you the Services (as discussed above).

We enter into contracts with third-party data controllers, which provide (i) that data subject to the Privacy Shield may only be processed for limited and specified purposes consistent with the consent provided by the individual; and (ii) that the recipient will provide the same level of protection as the Principles and will notify us if it makes a determination that it can no longer meet this obligation and that if such a determination is made, the third-party controller will cease processing or will take other reasonable and appropriate steps to remediate.

We transfer personal data to a third party acting as an agent under the following conditions: (i) for limited and specified purposes; (ii) we ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the Principles; (iii) we take reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization’s obligations under the Principles; (iv) we require the agent to notify the us if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles; (v) we will, upon notice, take reasonable and appropriate steps to stop and remediate unauthorized processing; and (vi) we will provide a summary or a representative copy of the relevant privacy provisions of our contract with that agent to the U.S. Department of Commerce (the “Department“) upon request.

We use reasonable, industry-standard precautions, including appropriate technical, administrative, and physical procedures, to protect EU-PII from loss, misuse, unauthorized access, disclosure, alteration, and destruction.  Due to the design of the Internet and other factors outside our control, we cannot guarantee that communications between you and our servers will be free from unauthorized access by third parties.

When we share EU-PII with third parties hired to help us with our activities, we require that they provide reasonable security for the information.  However, we are not responsible for any breach of security by third parties (except to the extent applicable law or the Privacy Shield provides otherwise).

Consistent with the Principles, we collect only personal information that is relevant for the purposes of processing it.  We do not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual.  We take reasonable steps to ensure that personal data is reliable for its intended use, accurate, complete, and current.  We will adhere to the Principles for as long as we retain such information.

We retain information that is in a form identifying or making identifiable the individual only for as long as it serves a purpose of processing within the meaning of the Principles.  This obligation does not prevent us from processing personal information for longer periods for the time and to the extent such processing reasonably serves the purposes of archiving in the public interest, journalism, literature and art, scientific or historical research, and statistical analysis. In these cases, such processing shall be subject to the other Principles and provisions of the Privacy Shield Framework and we will take reasonable and appropriate measures in complying with this provision.

We provide readily available independent recourse mechanisms by which each individual’s complaints and disputes are investigated and expeditiously resolved at no cost to the individual and by reference to the Principles, and we acknowledge that we will be liable for damages awarded where the applicable law or private-sector initiatives so provide.  Specifically these independent recourse mechanisms are:  (i) compliant with private sector developed privacy programs that incorporate the Privacy Shield Principles into their rules and that include effective enforcement mechanisms of the type described in the Recourse, Enforcement and Liability Principle; (ii) compliant with legal or regulatory supervisory authorities that provide for handling of individual complaints and dispute resolution; and (iii) commited to cooperating with European Union data protection authorities (“DPAs”) or their authorized representatives.

Specifically, we commit to cooperate with the DPAs, including but not limited to cooperating with the DPAs in the investigation and resolution of complaints brought under the Privacy Shield and complying with any advice given by the DPAs where the DPAs take the view that we need to take specific action to comply with the Principles, including remedial or compensatory measures for the benefit of individuals affected by any non-compliance with the Principles, and we further agree to provide the DPAs with written confirmation that such action has been taken.

We have procedures to follow-up to verify that the attestations and assertions we make about our privacy practices are true and that privacy practices have been implemented as presented and, in particular, with regard to cases of non-compliance.  Note that we are currently verifying compliance with the Principles through self-assessment, however, we may later elect for third party verification.  In connection with such self-assessment, we state we have in place procedures for: (i) training employees in implementation of the Principles; (ii) disciplining them for failure to follow them; and (iii) periodically conducting objective reviews of compliance with the above.

In creating, maintaining, using or disseminating personal information, we commit to taking reasonable and appropriate measures to protect such personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the personal data.

We agree to remedy problems arising out of failure to comply with the Principles and we state our adherence to such Principles.

We agree that we will respond promptly to inquiries and requests by the Department and EU member states for information relating to the Privacy Shield and our compliance with it.

We will follow the terms set forth in Annex I to the Privacy Shield, provided that an individual has invoked binding arbitration by delivering notice to us and following the procedures and subject to the conditions set forth in Annex I.  Note that terms set forth in Annex I to the Privacy Shield may be subject to the procedures of our designated Arbiter.

**Ver 1.0 August 26, 2016

Previous version