(Last updated: December 4, 2018) –ROI Factory is committed to protecting the personal information of our customers and website visitors. It is important to us that you understand how we treat your personal information and we encourage you to read this Policy carefully.
For the purposes of GDPR, ROI Factory is the controller of your personal information, unless you are explicitly told otherwise. Where processing of personal information is also undertaken by our affiliates, subsidiaries with whom you engage, they are joint controllers with ROI Factory for your personal information.
ROI Factory provides programmatic support, consulting and campaign management services, facilitates and manages access to third-party services, and provides an innovative platform to clients to bring it all together (our “Services“). We may receive, access or otherwise process personal information in order to provide our Services (the “Client Data”) to clients. ROI Factory will only process Client Data on behalf of and under the instructions of our clients, as set out in our client agreements, or where otherwise required by applicable laws. Our Clients are the data controllers of their respective Client Data, and we are the data processor.
Information We Collect
We collect personal information directly from individuals, from third parties, and also automatically through the use of our Site. You do not have to provide us with your personal information to access much of our Site. However, if you choose not to disclose certain information, we may not be able to provide certain Services to you.
Information collected directly. We may collect personal information about you (such as your name, address, and contact details) directly from you. For example, when you fill out a ‘Contact Us’ form, signup for our mailing lists, register for events we host or sponsor, register for an account, post comments on our Sites, or otherwise provide us information through the Sites. Generally, the information we collect includes your:
- name, company name, and title/position
- email address, phone number, mailing address and contact details
- contact preferences and interests
- business affiliations
- for events, it may include dietary restrictions, requested accommodations and other event-related preferences
- other information related to your request or inquiry
Purposes and Legal Bases of Use
We use the personal information you provide to respond to your request or inquiry and in the ordinary course of conducting our business, including as set out below:
- Providing Support and Services: to provide and operate our Sites, communicate with you about your use of the Sites, provide troubleshooting and technical support, respond to your inquiries, fulfill your orders and requests, process your payments, communicate with you, and for similar service and support purposes.
- Responding to Your Requests: to respond to your inquiries, fulfill your orders and requests, and consider your request or application (e.g., if you have submitted a resume or other application information online or by email, we will use it as part of the application review process).
- Analytics and Improvement: To better understand how users access and use the Sites, and our other products and offerings, and for other research and analytical purposes, such as to evaluate and improve our services and business operations and to develop services and features.
- Personalization: to tailor content we may send or display on the Sites, including to offer location customization and personalized help and instructions, and to otherwise personalize your experiences.
- Advertising: to promote ROI Factory’s products and services on third-party websites.
- Marketing: for direct marketing purposes, including to send you newsletters, client alerts and information we think may interest you. If you are located in a jurisdiction that requires opt-in consent to receive electronic marketing messages, we will only send you such messages if you opt-in to receive them.
- Comply with Legal Obligations: To comply with the law or legal proceedings. For example, we may disclose information in response to subpoenas, court order, and other lawful requests by regulators and law enforcement, including responding to national security or law enforcement disclosure requirements.
- General Business Operations: Where necessary to the administration of our general business, accounting, record keeping and legal functions.
We also create and use anonymous and de-identified information to assess, improve and develop our business, products and services, and for similar research and analytics purposes. This information is not generally subject to the restrictions in this Policy, provided it does not identify and could not be used to identify a particular individual.
|Purpose of Processing /Legitimate Business Interests (see above)||Legal Bases of Processing (EU Users)*|
|Providing Support and Services, Responding to Your Requests||Necessary to Enter into or Perform a Contract with You (upon your request, or as necessary to make the Services available)Our Legitimate Business Interests*|
|Analytics and Improvement||Our Legitimate Business Interests**Establish, defend or protect our legal interests|
|Personalization||Our Legitimate Business Interests**|
|Marketing, Advertising||Our Legitimate Business Interests**With Your Consent|
|Protect Our Rights and Prevent Misuse, Comply with Legal Obligation||Compliance with law Establish, defend or protect our legal interests|
|General Business Operations||Our Legitimate Business Interests**Establish, defend or protect our legal interestsCompliance with law|
* For the personal data from the EU that we process, this column describes the relevant legal bases for such processing under GDPR (and local implementing laws of EU member states); this does not limit or modify the obligations, rights and requirements under the privacy laws of non-EU jurisdictions.
** For the personal data from the EU, the processing is in our legitimate interests, which are not overridden by your interests and fundamental rights. Our legitimate interests include assessing and improving our products and services, understanding our clients’ needs and interests so that we can make our services more useful to clients, providing clients with news, information and marketing materials that are more relevant, providing training opportunities for employees, improving how we analyze and assess the success of client campaigns, developing trend and benchmark reports, and similar purposes.
Disclosures of Personal Information
We do not sell your personal information to third parties. In general, we disclose the personal information we collect as follows:
- Affiliates. Your personal information may be shared with our affiliated companies, whose handling of personal information is subject to this Policy.
- Service Providers. We may share your information with third party service providers who use this information to perform services for us, such as payment processors, hosting providers, auditors, advisors, consultants, and customer service and support providers.
- Enterprise users. If you use the Services on behalf of your company (our client), we may share personal information about your access to the Services and your communications or requests to us, with the relevant enterprise client.
- Business Transfers. We may disclose or transfer information, including personal information, as part of any merger, sale, and transfer of our assets, acquisition or restructuring of all or part of our business, bankruptcy, or similar event, including related to due diligence conducted prior to such event where permitted by law.
- Legally Required. We may disclose your information if we are required to do so by law (e.g., to law enforcement, courts or others, in response to a subpoena or court order).
- Protect our Rights. We may disclose information where we believe it necessary to respond to claims asserted against us or, comply with legal process (e.g., subpoenas or warrants), enforce or administer our agreements and terms, for fraud prevention, risk assessment, investigation, and protect the rights, property or safety of us, our clients, and others.
- Anonymized and Aggregated Data. We may share aggregate or de-identified information with third parties for research, marketing, analytics and other purposes, provided such information does not identify a particular individual.
Cookies and similar devices:
Cookies. Cookies are alphanumeric identifiers that we transfer to your computer’s hard drive through your web browser for record-keeping purposes. Some cookies allow us to make it easier for you to navigate our Site, while others are used to enable a faster log-in process or to allow us to track your activities while using our Site. Most web browsers automatically accept cookies, but if you prefer, you can edit your browser options to block them in the future.
Clear GIFs, pixel tags and other technologies. Clear GIFs are tiny graphics with a unique identifier, similar in function to cookies. In contrast to cookies, which are stored on your computer’s hard drive, clear GIFs are embedded invisibly on web pages. We may use clear GIFs (also referred to as web beacons, web bugs or pixel tags), in connection with our Services to, among other things, track the activities users of our Services, help us manage content, and compile statistics about usage of our Services. We and our third-party service providers also use clear GIFs in HTML emails to our customers, to help us track email response rates, identify when our emails are viewed, and track whether our emails are forwarded.
Log files. Most browsers collect certain information, such as your IP address, device type, screen resolution, operating system version, and internet browser type and version. This information is gathered automatically and stored in log files.
Transferring Your Data
ROI Factory is headquartered in the United States, and has operations and service providers in the United States and throughout the world. As such, we and our service providers may transfer your personal information to, or access it in, jurisdictions (including the United States) that may not provide equivalent levels of data protection as your home jurisdiction. We will take steps to ensure that your personal data receives an adequate level of protection in the jurisdictions in which we process it, including through appropriate written data processing terms and/or data transfer agreements.
If you are in the European Economic Area, and we process your personal information in a jurisdiction that the European Commission has deemed to not provide an adequate level of data protection (a “third country”), we will implement measures to adequately protect your personal information, such as putting in place standard contractual clauses approved by the European Commission or another measure that has been approved by the EU Commission as adducing adequate safeguards for the protection of personal information when transferred to a third country. You have a right to obtain details of the mechanism under which your personal data is transferred outside of the EEA; you may request such details by contacting us as set forth in the “Contact us” section below.
Your Choices and Rights
Access, Amend and Correct. If you wish to access personal information that you have submitted to us, to request the correction of any inaccurate information you have submitted to us, to request deletion of or object to processing of your information, please send your request to firstname.lastname@example.org. We may ask you for additional information so that we can confirm your identity.
Direct Marketing. You may always opt-out of direct marketing emails from us by following the instructions in such emails. We may continue to send you transactional or service-related communications, such as service announcements and administrative messages.
Complaints. We will take steps to try to resolve any complaint you raise regarding our treatment of your personal information. You also have the right to raise a complaint with the privacy regulator in your jurisdiction.
Users in the European Economic Area.
Individuals in the EEA have the following rights with respect to their personal data:
- Access. You can ask us to: confirm whether we are processing your personal data; give you a copy of that data; provide you with other information about your personal data such as what data we have, what we use it for, who we disclose it to, whether we transfer it abroad and how we protect it, how long we keep it for, what rights you have, how you can make a complaint, where we got your data from and whether we have carried out any profiling, to the extent that such information has not already been provided to you in this Policy.
- Rectification. You can ask us to rectify inaccurate Information. We may seek to verify the accuracy of the data before rectifying it.
- Erasure. You can ask us to erase your personal data, but only where: it is no longer needed for the purposes for which it was collected; you have withdrawn your consent (where the data processing was based on consent); following a successful right to object (see ‘Objection’ below); it has been processed unlawfully; or to comply with a legal obligation to which we are subject. We are not required to comply with your request to erase your personal data if the processing of your personal data is necessary: for compliance with a legal obligation; or for the establishment, exercise or defense of legal claims. There are certain other circumstances in which we are not required to comply with your erasure request, although these two are the most likely circumstances in which we would deny that request.
- Restriction. You can ask us to restrict (i.e. keep but not use) your personal data, but only where: its accuracy is contested (see ‘Rectification’ above), to allow us to verify its accuracy; the processing is unlawful, but you do not want it erased; it is no longer needed for the purposes for which it was collected, but we still need it to establish, exercise or defend legal claims; you have exercised the right to object, and verification of overriding grounds is pending. We can continue to use your personal data following a request for restriction, where: we have your consent; to establish, exercise or defend legal claims; or to protect the rights of another natural or legal person.
- Right to object. You can ask us to stop processing your personal information, and we will do so (i) to the extent that we are relying on our legitimate interests to use your personal information, you have the right to object to such use, unless we can either demonstrate compelling legitimate grounds for the use that override your interests, rights and freedoms or where we need to process the data for the establishment, exercise or defense of legal claims, and (ii) where we are processing your personal information for direct marketing purposes.
- Portability. You can ask us to provide your personal data to you in a structured, commonly used, machine-readable format, or you can ask to have it ‘ported’ directly to another Data Controller, but only where our processing is based on your consent and the processing is carried out by automated means.
- Withdrawal of Consent. You can withdraw your consent in respect of any processing of personal data which is based upon a consent which you have previously provided.
We have implemented safeguards and technical measures to protect the personal information that we have under our control from unauthorized access, use or disclosure. However, no data security measures can guarantee 100% security.
As a general rule, we retain your personal information for as long as necessary to fulfill the purposes for which it was collected or as necessary to comply with our legal obligations, resolve disputes, maintain appropriate business records, and enforce our agreements. In general, for example, we will retain relevant personal information of clients and Site visitors for at least three years from the date of our last interaction with you and in compliance with our obligations under applicable laws. Our clients instruct us on how long to retain Client Data, which we handle as a data processor. We may retain personal data for longer where required by our regulatory obligations, professional indemnity obligations, or where we believe necessary to establish, defend, or protect our legal rights and interests or those of others.
Information About Children
The ROI Factory site is not intended for minors under the age of 16. We do not knowingly or specifically collect information about minors under the age of 16. If you believe we have unintentionally collected such information, please notify us so that we can delete this information from our servers.
From time to time, we may update this Policy to reflect new or different privacy practices or to reflect changes in industry standards or legal requirements. We will place a notice online when we make material changes to this the Policy. Additionally, if the changes will materially affect the way we use or disclose Information, we will notify you in advance of the change by sending a notice to the primary email address associated with your account or by posting a notice on our Site. We encourage you to periodically review this Policy for the latest information on our privacy practices.
If you have questions or concerns regarding the way in which your personal data is being processed or this Policy, please email us at email@example.com.