Data Protection and Privacy Policy Statement
This Privacy Policy describes how Monsido collects, uses, shares, and secures your Personal Data when you access our Website (monsido.com) or our Monsido Platform interface (app.monsido.com), use our Services (defined below), or otherwise interact with us. This Privacy Policy contains an explanation of your rights regarding Monsido’s use of your Personal Data and how we communicate with you.
Monsido attaches great importance to ensuring that your personal data is collected, used, stored, and erased in accordance with the current applicable regulations as stipulated by local, state, national, federal, and other data protection legislation. Protecting your data is a matter of great importance to our company. If you have requests concerning your personal information or any questions, please contact us privacy@monsido.com.
Monsido’s Role As A Data Controller
Monsido makes available this Privacy Policy in compliance with its role as a data controller, as that role is defined by relevant legislation. This means that it applies to when Monsido collects, uses, shares, and processes data at a non-application level.
This Privacy Policy does not apply to the extent we are acting as a Customer’s data processor. To learn more about our processing activities as a data processor when rendering our software-as-a-service offering, please see the relevant documentation on our Compliance page or refer to your Customer Data Processing Agreement. This Privacy Policy also does not apply to Monsido’s human resources activities (recruiting and employment) or to our vendor- related activities when we are acting as a data controller. For more information on such activities, please refer to our Employee Privacy Policy posted on Monsido’s Internal Knowledge Base or as otherwise made available to you during our recruitment and due diligence processes.
We base our corporate definition of “data controller” and “data processor” on those set forth in the Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation (“GDPR”)). We use the GDPR framework as our standard as Monsido originated in the European Union (Denmark) and is from where its Monsido Platform continues to be developed.
In addition to the GDPR, Monsido also complies with the Retained Regulation (EU) 2016/679 (“UK GDPR”) and the Data Protection Act 2018 (DPA 2018); Act 199 of 1988, Australian Privacy Act of 1988 and its Australian Privacy Principles (“APP”); California Consumer Privacy Act of 2018, as amended; and various other data protection and cybersecurity regulations to which Monsido may be bound. For more information for our U.S. state law privacy compliance, see our Notice at Collection.
Monsido operates globally, with each office acting as a data controller in the following circumstances:
- Monsido ApS (Borupvang 3, 2750 Ballerup, Denmark): International Marketing; Website provision; EEA/Swiss Sales; Product-related activities; Development; Security
- Monsido LLC: North America Sales
- Monsido LTD: United Kingdom and Wales, Ireland Sales
- Monsido PTY Ltd: Australia and Asia-Pacific Sales
We also act as a co-data controller with our parent company, U.S.-based CivicPlus, LLC, pursuant to Standard Contractual Clauses and in the following circumstances: Global customer invoicing; Finance; Legal; Compliance; and US marketing. Please refer to the CivicPlus Privacy Policy for more information about how CivicPlus collects, uses, shares, and secures Personal Data.
Finally, end Users of our Monsido Platform are asked to please note Monsido also collects Personal Data on behalf of our Customers in accordance with our Customers’ specific instructions, such as pursuant to a Data Processing Agreement. If you are an employee or contractor of a Monsido Customer and have questions about how our Customer has instructed us to collect, use, store, process, or otherwise handle your Personal Data, you should contact the Customer directly. Customers maintain their own privacy practices concerning the collection, use, storage, processing, and handling of their end-users' Personal Data and should be the first point of contact if making a data subject access request.
1. Definitions
For purposes of this Privacy Policy the following definitions are applied:
References to “Customer” mean a company, agency, or other business or governmental or non-government agency with which Monsido is entering into sales discussions for the Monsido Platform and/or with which executed a contract to provide its Monsido Platform.
References to “Customer Website” mean those publicly available pages of Customer’s website that are scanned by the Monsido Platform as part of the Monsido service offering.
References to a “Data Subject” mean a User on whom we have collected, used, processed, shared, or otherwise received and handled Personal Data as the term “data subject” is defined by the GDPR.
References to the “Monsido Platform” mean the software-as-a-service platform accessible by Users who are Customer end users and available through https://login.monsido.com/.
References to “Personal Data” mean any data that could, directly or indirectly, be used to identify a User as personal data, personal information, or personally identifiable data or information may be defined by relevant law.
References to the “Services” means those software-as-a-service modules provided to our Customers who have executed a contract to provide such services, including the ability to set up, access, and manage the same through the Monsido Platform.References to “us,” “we,” “our,” and/or “Monsido” means the Monsido corporate entities set forth in this Privacy Policy in the section titled “Monsido’s Role as a Data Controller.”
References to the “Website” mean, collectively, the websites bearing the URLs www.monsido.com and app.monsido.com.
References to “you,” and/or “User,” mean a user of the Website, an end user of the Monsido Platform or representative of a Customer, or an individual who has interacted with Monsido, such as by signing up for our mailing list, attending a Monsido webinar, or emailing Monsido.
2. Agreement to be Bound
By accessing the Website or the Monsido Platform, using our Services, or otherwise interacting with us, you represent that you have read and understood the Privacy Policy and that you agree to be bound by it.
This Privacy Policy may be additionally subject to our Terms of Service and Data Processing Agreement for those Customers who have registered for our Services as well as our Cookie Policy and General Website Terms and Conditions for Users of our Website.
3. Modifications And Changes To The Privacy Policy
We may modify, add to, suspend or delete the Privacy Policy, in whole or in part, at our sole discretion at any time, with such modifications, additions, or deletions being effective thirty (30) calendar days following their posting to the Website and emailing of a notice to Users for whom we have an email address. Your access of the Website, use of our Services, or continued interaction with us after such modification, addition, or deletion of the Privacy Policy shall be deemed to constitute acceptance by you of such changes.
4. The Personal Data We Collect: Purpose Of Collection; Data Collected; & Our Lawful Basis
For Processing
We collect both personally identifiable data and non-personally identifiable data. Often, you choose what information to provide to us, but, sometimes, we may require certain information for you to use and for us to provide the Services, the Website, the content you have requested from us, or to otherwise interact with us. We collect Personal Data directly from Users, from our Customers, automatically from Users (such as through interactions with our Website,) and from lead sources (where allowed by relevant law). More details can be found below on the source of Personal Data, why Personal Data is collected, what is collected, and our basis for processing Personal Data.
We believe in the principle of data minimization and so always try to collect the minimal amount of Personal Data necessary to make our Services, Website, and business function.
A. Personal Data You Provide To Us
We collect the Personal Data you directly provide to us and use it in the following ways:
| Purpose | Data Collected | Lawful Basis for Processing |
|---|---|---|
|
Marketing Communications |
Name, Job Title, Company Email, Company Phone Number, Company Address, Affiliated Customer Organization, Other information you may provide to us, such as that which may be found in your corporate email signature (such as a picture or gender). |
Monsido’s and our Customers’ legitimate interests: Collection and processing of Users’ Personal Data is necessary to communicate with our Customers and their designated end Users regarding company, product, and other marketing related news. Consent: Collection and processing of Users’ Personal Data may also be based on consent, when such consent is explicitly requested by us. |
|
Sales |
Name, Job Title, Company Email, Company Phone Number, Company Address, Affiliated Customer Organization, Other information you may provide to us, such as that which may be found in your corporate email signature (such as a picture or gender). We may also collect a video or voice recording in connection with sales calls. |
Monsido’s and our Customers’ legitimate interests: Collection and processing of Users’ Personal Data is necessary for the sale of the product to our Customers. Consent: Collection and processing of Users’ Personal Data may also be based on consent, when such consent is given by you, this includes where sales communications are recorded for Monsido’s training purposes (Monsido’s legitimate interest) and where such a recording may require consent under applicable law. |
|
Events, in person and online |
Name, Job Title, Company Email, Company Phone Number, Company Address, Affiliated Customer Organization. For virtual events, we may also collect a video or voice recording, depending on the type of virtual event. |
Monsido’s and our Customers’ legitimate interests: Collection and processing of Users’ Personal Data is necessary for inclusion of a User in an event, event follow up, and further communication with participants. Consent: Where a User voice or video is recorded as part of an event, consent will be obtained in advance of such recording, where required by relevant law. |
B. Personal Data We Collect In Connection With Our Services
We collect Personal Data in connection with our Services and use such Personal Data in the below ways. Monsido does not offer its Services to consumers, and, therefore, to the extent that it collects a User’s Personal Data from a Customer or a representative of a Customer, Monsido relies on the representations of the Customer that the Customer has the lawful authority to have collected and provided such Personal Data to Monsido, for example, pursuant to an employment contract between the User and Customer.
Please note: This Privacy Policy does not apply to the extent we are acting as a Customer’s data processor. To learn more about our processing activities as a data processor, please see the relevant documentation on our Compliance page or refer to your Customer Data Processing Agreement.
| Purpose | Data Collected | Lawful Basis for Processing |
|---|---|---|
|
Account registration administration |
Name, Job Title, Company Email, Company Phone Number, Company Address, Affiliated Customer Organization, Login Credentials where not using a Customer’s SSO provider. |
Monsido’s and our Customers’ legitimate interests: Collection and processing of Users’ Personal Data is necessary for the provision of account-related functionalities of our Services. Contract: We collect and process Personal Data for the purpose of administering User accounts as required under our contractual obligation for account set up and management with our Customers. |
|
Single Sign-On Information |
Identity verification through email |
Monsido’s and our Customers’ legitimate interests: Collection and processing of Users’ Personal Data is necessary for the provision of account-related functionalities of our Services. Contract: We collect and process Personal Data for the purpose of administering User accounts as required under our contractual obligation for account set up and management with our Customers. |
|
Customer and Technical Support |
Name, Job Title, Company Email, Company Phone Number, Company Address, Affiliated Customer Organization. Depending the method through which a support request is initiated, we may receive additional Personal Data, such as what is contained in a User’s email signature (such as a picture or gender). In some events, support is provided telephonically or virtually, we may also collect a video or voice recording in connection with the support provided. |
Monsido’s and our Customers’ legitimate interests: Collection and processing of Users’ Personal Data is necessary for the provision of customer and technical support when requested by a User or Customer. Contract: We collect and process Personal Data for the purpose of administering User accounts as required under our contractual obligation for account setup and management with our Customers. Consent: Where support is provided telephonically or virtually and the support provided is recorded for Monsido training purposes (Monsido’s legitimate interest,) consent will be obtained in advance of such recording, where required by relevant law. |
|
Training |
Name, Job Title, Company Email, Company Phone Number, Company Address, AffiliatedCustomer Organization. Depending on the circumstance, we may also collect a video or voice recording in connection with the training provided. |
Customers’ legitimate interests: Collection and processing of Users’ Personal Data is necessary for provision of Service-related training. Contract: We collect and process Personal Data for the purpose of providing contracted-for Service- related training. Consent: Where training is provided telephonically or virtually and the training provided is recorded for Monsido training purposes (Monsido’s legitimate interest,) consent will be obtained in advance of such recording, where required by relevant law. |
|
Legal & Compliance |
Name, Job Title, Company Email, Company Phone Number, Company Address, Affiliated Customer Organization, Other information you may provide to us, such as that which may be found in your corporate email signature (such as a photo or gender). |
Monsido’s and our Customers’ legitimate interests: Collection and processing of Users’ Personal Data is necessary for the administration of contracts. Contract: We collect and process Personal Data for the purpose of administering our Customer contracts. |
|
Cookies and First-Party Tracking |
Cookies and cookieless tracking technologies. Please refer to our Cookie Policy. |
Consent: Collection and processing of Users’ Personal Data is based on User consent, where required by law. |
3. Personal Data We Automatically Collect From Users Of Our Website And Monsido Platform
We collect Personal Data automatically from Users of our Website and Monsido Platform. We use this Personal Data in the below ways:
| Purpose | Data Collected | Lawful Basis for Processing |
|---|---|---|
|
Cookies and First-Party Tracking Technologies |
Cookies and cookieless tracking technologies. Please refer to our Cookie Policy. |
Consent: Collection and processing of Users’ Personal Data is based on User consent, where required by law. Monsido’s and User’s legitimate interests, unless prohibited by law: Collection and processing of Users’ Personal Data is used by Monsido to obtain analytics regarding usage of our Website and tailor our services to Users’ preferences as well as to ensure the Website runs smoothly and without interruption. |
|
Metadata |
Links a User interacts with, Features or content accessed, and other similar contextual information regarding usage. |
Consent: Collection and processing of Users’ Personal Data is based on User consent, where required by law. Monsido’s legitimate interests: Collection and processing of Users’ Personal Data is used by Monsido to obtain contextual information regarding usage of our Website and Monsido Platform. |
|
Log Data |
IP address (masked), Address of websites visited before using the Website or Monsido Platform, Browser type and settings, Data and time of access, Browser configurations and plugins, Language preferences. |
Consent: Collection and processing of Users’ Personal Data is based on User consent, where required by law. Monsido’s and Customer’s legitimate interests, unless prohibited by law: Collection and processing of Users’ Personal Data is used by Monsido for security, analytics, and troubleshooting. |
|
Device Information |
Type of device, Operating system used, Device settings, Application IDs, Unique device identifiers, Crash data. |
Consent: Collection and processing of Users’ Personal Data is based on User consent, where required by law. Monsido’s and Customer’s legitimate interests, unless prohibited by law: Collection and processing of Users’ Personal Data is used by Monsido for security, analytics, and troubleshooting. |
|
Location Information |
Company address, IP addressed (masked), Browser information (including referrers), Device information (such as iOS IDFA, IDFV for limited, non-advertising purposes). |
Consent: Collection and processing of Users’ Personal Data is based on User consent, where required by law. Monsido’s and Customer’s legitimate interests, unless prohibited by law: Collection and processing of Users’ Personal Data is used by Monsido for localization, compliance, and security. |
4. Personal Data We Collect From Third Parties
We may collect Personal Data regarding Users from third parties and other websites, depending on local rules and regulations regarding collection of Personal Data from third parties. Depending on the jurisdiction where a User is located, the following may or may not be applicable as we seek to ensure compliance with all relevant regulations that affect our Users. We use this Personal Data in the below ways:
| Purpose | Data Collected | Lawful Basis for Processing |
|---|---|---|
|
Customers may provide us with Users’ Personal Data as a designated point of contact for a Customer or as a Customer’s authorized end user, such as for the purpose of Sales, Marketing, Account registration and administration, Legal and Compliance, Events, Training, Customer and Technical Support. |
Name, Job Title, Company Email, Company Phone Number, Company Address, Affiliated Customer Organization, Other information the Customer may provide to us. |
Consent: Collection and processing of Users’ Personal Data is based on User consent, where required by law. Monsido’s and User’s legitimate interests, unless prohibited by law: Collection and processing of Users’ Personal Data is used by Monsido to obtain analytics regarding usage of our Website and tailor our services to Users’ preferences as well as to ensure the Website runs smoothly and without interruption. |
|
Sales; Marketing |
Name, Job Title, Company Email, Company Phone Number, Company Address, Affiliated Customer Organization, and Other information that may be provided to us by third-party lead services. |
Monsido’s legitimate interests, unless prohibited by law: Collection and processing of Users’ Personal Data is used by Monsido to connect with prospective Customers for sales and marketing purposes. |
5. The Personal Data We DO NOT Collect
Monsido does not collect any special category or sensitive data, for example, we do not collect health data, financial data, racial identity data, religious data, or any other data attributable to a single User that may be considered sensitive.
6. With Whom We Share Your Personal Data
Monsido may share your Personal Data with its related corporate entities. We may also share your Personal Data with third parties in the ways described below. We will never sell Personal Data of our Users. For more information regarding how we comply with US state laws on the selling and sharing of User Personal Data, please see our Notice at Collection.
|
When you have given us consent |
We may share your Personal Data where you have given us consent to share it. |
|---|---|
|
To our third-party vendors and services providers |
As a data controller, we engage third-party vendors and service providers to process data on our behalf. Where required, we have in place contracts with these third parties that limit the processing of the Personal Data to the extent necessary to provide the services and which include reasonable assurances regarding appropriately safeguarding the Personal Data. |
|
For legal and compliance purposes |
We may share Personal Data if we believe we are compelled to do so by applicable law, regulation, process, or a government request. Please see our Statement on Schrems II and our Transparency Reports regarding how Monsido handles responding to such requests while acting as a data processor at the direction of Customers. Where we are legally permitted to do so, Users will be notified in advance of disclosure and given any legally permitted time to object to such a disclosure. To the extent permitted by applicable law, we may also share Personal data to enforce our own agreements or policies, to protect the integrity of our Services, to protect ourselves, Customers, Users, or the public from harm or illegality, or to respond to an emergency where we believe a vital interest requires us to do so. |
|
Corporate matters |
Since 2022, Monsido has been owned by U.S.-based CivicPlus, LLC. In the event of a corporate sale, merger, dissolution, reorganization, change in control, or similar corporate event, we may transfer Personal Data in a way that constitutes a sale of Personal Data. We will endeavour to notify Users ahead of such a sale, where possible. |
7. Your Rights And How To Exercise Them
You have certain rights regarding your Personal Data, depending on your country of residence. Below is a summary of those rights. California Users are directed to Monsido’s Statement at Collection for a summary of their rights under state law, which may differ from those set forth below.
Sometimes, your rights may be limited, such as when honouring a request would reveal information about another person or if you request we delete Personal Data that we are permitted that we are permitted by law or our legitimate interests to keep.
We are required to verify the identity of any User exercising a Personal Data right. This identification process may require providing us with a signed declaration confirming your identity. If a request is made on behalf of a User by a third party, we require a certification from the User that we can provide such third party the User’s Personal Data. We reserve the right to deny any request where we do not reasonably believe the identity of the User or authorization for such a request has been provided to us.
We will respond to any request in a timely manner, which in most instances will be thirty (30) days. The time to respond to requests is set out in relevant law and may differ, depending on where the User resides.
- Right to be Informed. You have the right to be informed about Monsido’s data collection processes. We fulfil this right by providing you with this Privacy Policy, including at the time of Personal Data collection.
- Right of Access. You have the right to access what Personal Data Monsido has collected about you. You can exercise this right by making a Data Subject Access Request.
- Right to Rectification. You have the right to ask Monsido to correct any Personal Data it holds about you so as to ensure your Personal Data is accurate. You also have the right to ask Monsido complete incomplete Personal Data held about you. Oftentimes, you can rectify your Personal Data yourself through the account settings in the Monsido Platform. You can also correct any incorrect Personal Data by emailing us at privacy@monsido.com or by using one of our support channels.
- Right to Restrict Processing. You have the right to restrict Monsido’s processing of your Personal Data where: you have contested the accuracy of the Personal Data; you have objected to the processing and Monsido is considering whether it has a legitimate ground which overrides this objection; the processing is unlawful; or Monsido no longer requires the Personal Data but you require that Monsido does not delete it so as to establish, exercise or defend a legal claim you may have. To exercise your right to restrict processing, please email us at privacy@monsido.com. A User may also contact the User’s relevant Customer to discuss the User’s desire to restrict processing where such processing relates to Personal Data provided by said Customer or processed on the basis of contract with said Customer.
- Right to Erasure. In some circumstances, you have the right to ask that your Personal Data be deleted: your Personal Data is no longer necessary in relation to the purpose for which it was collected/processed by Monsido; you withdraw your consent or object to the processing and there is no overriding legitimate interest to continue processing; you object to the processing and there are no overriding legitimate grounds for the processing; you object to the processing and your Personal Data was processed for direct marketing purposes; your Personal Data was unlawfully processed or should be erased to comply with a legal obligation; or your Personal Data is processed in relation to the offer of information society services to a child.
Please note, that Monsido may refuse your request to delete your Personal Data if an exception applies: to comply with a legal obligation or for the performance of a task of public interest; for the exercise or defence of legal claims; or for purposes relating to public health, archiving in the public interest, scientific/historic research or statistics.
If your Personal Data has been disclosed to a third party, Monsido will ask it to erase that data, unless this proves impossible or involves disproportionate effort. You may ask who those third parties are by making a Data Subject Access Request, and Monsido or the relevant Customer, as applicable, will inform you accordingly.
To exercise your right to erasure, please email us at privacy@monsido.com. A User may also contact the User’s relevant Customer to discuss the User’s desire to be forgotten where such processing relates to Personal Data provided by said Customer or processed on the basis of contract with said Customer. - Right to Data Portability. You have the right to move, copy, or transfer your Personal Data from one IT environment to another in a safe and secure way, without hindrance to usability. This enables you to obtain and reuse your Personal Data across different services. This being noted, due to the nature of the Services Monsido provides and the types of data it collects, the right to data portability, although it exists, any Personal Data we provide to you in response to your exercise of this right may be limited in its utility. This right applies to Personal Data that you have personally provided to Monsido (see above section “The Personal Data You Provide to Us”); where our processing is based on consent or the performance of a contract; and where processing is carried out by automated means. You may make a request for data portability by making a Data Subject Access Request.
- Right to Object. You have the right to object to Monsido’s processing of your Personal Data in certain circumstances. You also have the right to stop your Personal Data being used for direct marketing. You can also object to Monsido’s processing of your Personal Data if the processing is for: a task carried out in the public interest; is done in the exercise of an official authority vested in Monsido; or is done for Monsido’s legitimate interests (or those of a third party). However, in these circumstances the right to object is not absolute, and you must give specific reasons why you are objecting to the processing of your Personal Data. Even if an objection is made, Monsido will continue to process your Personal Data if: Monsido can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the objecting User; or the processing is for the establishment, exercise or defence of legal claims.
To exercise your right to object to processing, please email us at privacy@monsido.com. A User may also contact the User’s relevant Customer to discuss the User’s objection where such processing relates to Personal Data provided by said Customer or processed on the basis of contract with said Customer. - Right Not to Be Subject to Automated Decision Making or Profiling. You have the right not to be subject to fully automatic decisions (those without human intervention in the decision-making process) that may have legal effects or which would significantly affect you. You also have the right not to be profiled, which is any form of automated processing of your Personal Data consisting of the use of Personal Data to evaluate certain personal aspects relating to you, in particular to analyse or predicts aspects concerning your performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location, or movements. At present, Monsido does not use any fully-automated decision making or profiling systems, and, therefore, this right cannot be exercised. However, Monsido may use such automated decision-making in the following circumstances: where we have notified you of the decision and given you 21 days to request a reconsideration; or where it is necessary to perform the contract and appropriate measures are in place to safeguard your rights.
8. Revoking Consent
Where we collect or process your Personal Data based upon consent, you may revoke consent. Please note, if you revoke your consent for the processing of Personal Data, we may no longer be able to provide you Services.
9. Communications From Monsido
You may control the receipt of certain types of communications from Monsido. Monsido may contact you by phone or email about the Services or your activity. Some of these communications are required, Service-related messages for Users of our Monsido Platform, such as transactional communications or legal notices. Other communications are not required, such as newsletters and direct marketing, as discussed below. We will never shareyour email with a third party for its own marketing purposes, unless you have given us your consent to do so.
10. Our Newsletter and How to Opt-Out
We operate an email newsletter program, used to inform subscribers about products and services supplied by us or our third-party affiliates, news that may affect our Customers and Users, and upcoming event announcements. Subscription to our newsletter is opt-in. Users can opt-out of receiving our newsletter at any time by following the unsubscribe link contained in the footer of any newsletter or by emailing us at privacy@monsido.com. Please note that for current Customers or Customers with whom we are in contract negotiations, your consent to receive direct marketing from Monsido is assumed; however, you may opt- out of receiving such direct marketing at any time and such opt-out will be respected.
Email marketing campaigns published by us may contain tracking facilities within the actual email. Subscriber activity is tracked and stored in a database for future analysis and evaluation. Such tracked activity may include the opening of emails, forwarding of emails, the clicking of links within the email content, times, dates, and frequency of activity. This information is used for Monsido’s and the User’s legitimate interest to refine future email campaigns and supply the User with more relevant content based around the User’s activity. If you do not agree with the use of such tracking, please unsubscribe from our newsletter or otherwise withdraw consent using one of the methods set out in this Privacy Policy.
11. Do Not Track (DNT) Disclosure
Please note that while you may have the opportunity to opt-out of our marketing email list as discussed in the “How to Opt-Out” section above, and you may be able to control the use of cookies through your Web browser as described in the “Use of Cookies” section below, some Web browsers may also give you the ability to enable a “do not track” setting. This setting sends a special signal to the websites you encounter while Web browsing. This “do not track” signal is different from disabling certain forms of tracking by declining cookies in your browser settings, as browsers with the “do not track” setting enabled still have the ability to accept cookies. We do not respond to Web browser “do not track” signals at this time. If we do so in the future, we will describe how we do so in this Privacy Policy. For more information about “do not track,” visit http://www.allaboutdnt.org/.
12. Other Web Sites
Our Website and the Monsido Platform may contain links to other websites, which are outside our control and are not covered by this Privacy Policy. If you access other websites using the links provided, the operators of these websites may collect Personal Data from you, which will be used by them in accordance with their privacy policies. These policies may differ from ours.
13. Cookies and Other Tracking Technologies
To enhance your online experience, we may use “cookies” or similar technologies. Please see our Cookie Policy, available online at https://monsido.com/cookie-policy/ regarding our use of cookies and how to opt-out of online tracking. Please note that if you change browsers or computers, or if you clear your browser’s cache, you may need to click the link again to apply your preferences.
14. Privacy Protection for Children Using the Internet; Notice to Minors
Protecting children’s privacy is important to us. For that reason, we do not collect or maintain Personal Data of those persons we actually know are under the age of thirteen (13) nor is any part of the Website, Monsido Platform, or our Services targeted to attract anyone under the age of thirteen (13). We request that all users of the Website, Monsido Platform, and our Services who are under the age of thirteen (13) not disclose or provide any Personal Data. If we discover that a child under thirteen (13) has provided us with Personal Data, we will delete that child’s Personal Data from our records. You are responsible for any and all account activity conducted by a minor under your account.
In addition to protecting the privacy of children under the age the age of thirteen (13), we are committed to protecting the privacy of minors. Though our Website, Monsido Platform, and Services are not targeted to minors, nor are they it intended to be used by minors, if for any reason a minor has shared Personal Data with us, said minor may request and obtain removal of such information by contacting us at privacy@monsido.com.
15. Retention
Monsido will retain your Personal Data only for as long as is necessary for the purposes set out in this Privacy Policy. This may include for as long as your account is active for Users of the Monsido Platform, for the term of contract where you are a designated representative of a Customer, or for those other purposes as described in this Privacy Policy. If you no longer want Monsido to use your Personal Data, you may exercise your right of deletion; however, as accounts are provided in accordance with our contract with a Customer, Users who wish to close their accounts should first speak with the relevant Customer regarding their desires to be removed as an end user or as a Customer point of contact for sales, marketing, legal, and/or compliance purposes. Monsido will retain and use your information to the extent necessary to comply with our legal obligations (for example, if we are required to retain your information to comply with applicable tax/revenue laws), resolve disputes, and enforce our agreements. The period for which are required to retain Personal Data for these purposes is set by law and is jurisdictionally dependant. We also retain log files for internal analysis purposes. These log files are generally retained for a brief period of time, except in cases where they are used for the safety and security of our Monsido Platform and/or Website, to improve the functionality of our Website, Monsido Platform, or Services, or we are legally obligated to retain them for longer time periods.
16. Data Security
We take steps to maintain the security of the Personal Data that we collect, including have implemented additional safeguards for the Personal Data of our EEA/UK/Swiss customers. We also closely evaluate our third-party processors and those companies with whom we share Personal Data to ensure compliance with relevant data processing laws. For more information about our security practices, please see Information Security Overview.
Please note that no service is completely secure. While we strive to protect your Personal Data, we cannot guarantee that unauthorized access, hacking, data loss or a data breach will never occur. If we are required by law to inform you of a breach to your information, we may notify you electronically, in writing, or by telephone. For Users who are Customer end Users or authorized contact points, such notification may come from the relevant Customer.
17. International Data Transfers; Participation In The UK/EEA/Swiss Data Privacy
Framework Programs; How to File a Complaint
Monsido operates globally and has offices in the United Kingdom, Denmark, Australia, and the United States. For registered Customers with whom Monsido has a data processing agreement, all Customer data is stored on geo-located servers in compliance with applicable local data protection laws and Monsido’s contractual commitments to its Customers when acting as a data processor. For more information about international data transfers for Customer data at an application-level and when Monsido is acting as a data processor, please see our Transfer Risk Impact Statement.
In addition, due to the international nature of our company, we may have to transfer User Personal Data to our related corporate bodies, affiliates, contractors, service providers, and other third parties in countries around the world. When we make such transfer, we rely on appropriate safeguards to ensure Personal Data remains protected and otherwise comply with relevant data transfer regulations.
Transfers from the EEA/UK/Switzerland. We may transfer Personal Data worldwide in order to support our global operations. Users located in the European Economic Area (“EEA”), United Kingdom (“UK”), or Switzerland, should please note some of the countries that we transfer, store, and process information in may not have privacy and data protection laws that are equivalent to the laws of the country where the User is located. When this is the case, we utilize the European Commission Standard Contractual Data Protection Clauses and the United Kingdom Standard Contractual Data Protection Clauses to safeguard the transfer of information we collect from Users located in the EEA, the UK, and Switzerland to third countries. Monsido is fully committed to the principles of the UK and EU GDPR, including when it comes to international data transfers. To learn more about our commitment to the GDPR, please see https://monsido.com/gdpr.
Participation in the EEA/Swiss Data Privacy Framework Program. As a global company, Monsido recognizes that its Users may have concerns not just about the access of Monsido’s processors to Personal Data but also about the access of Monsido’s related corporate bodies, including its U.S.-based parent company, CivicPlus, LLC, to Personal Data. Monsido is committed to operating is Services and data collection activities independently and does not share processing activities for its Services with its parent company when fulfilling its role as adata processor pursuant to a Customer contract. For more information about Monsido’s commitment to independence, please see our Statement on Schrems II and Data Sovereignty Statement.
Where Monsido acts as a data controller, it may share Personal Data of Users located in the EEA, UK, or Switzerland with its related corporate entities and transfer such data from the EEA, UK, or Switzerland to the United States and other countries. When we transfer Personal Data, we rely on Article 45 of Regulation (EU) 2016/679 (GDPR) and UK Secretary of State, based on Article 45 of the UK GDPR and Section 17A of the Data Protection Act 2018 or the EC’s Standard Contractual Clauses (“SCCs”) and the UK Information Commissioner’s Office’s International Data Transfer Addendum (“IDTA”), as applicable, supplemented by additional security measures as recommended by the European Data Protection Board. The European Commission and the UK’s Information Commissioner’s Office ("ICO”) have determined that the SCCs and IDTA may provide sufficient safeguards to protect Personal Data transferred outside the EEA, UK, and Switzerland. Where we transfer Personal Data, we perform transfer impact assessments (“TIAs”) and continually monitor the circumstances surrounding such transfers to ensure that these maintain, in practice, a level of protection that is essentially equivalent to the one guaranteed by the EEA, UK, and Swiss data protection laws.
In addition to utilizing SCCs, as part of our commitment to maintaining high data protection standards when transferring Personal Data between the EEA/UK/Switzerland and the United States, we plan to participate in the EU-US/Swiss-US Data Privacy Frameworks and the UK Extension to the same (collectively “EU/SWISS-US DPF.”) We will certify to the Federal Trade Commission that we adhere to the EU/SWISS-US DPF Principles (“EU/SWISS-US DPF Principles”) with regard to the processing of Personal Data received from the European Union in reliance on the EU/SWISS-US DPF. If there is any conflict between the terms in our Privacy Policy and the EU/SWISS-US DPF Principles, the Principles govern. To learn more about the Data Privacy Framework (“DPF”) program please visit https://www.dataprivacyframework.gov/.
In compliance with the EU/SWISS-US DPF Principles, we have committed to resolve complaints about privacy and our collection or use of User’s Personal Data transferred to the United States pursuant to the EU/SWISS-US DPF Principles. EEA/SWISS individuals with DPF inquiries or complaints should first contact Monsido: Data Protection Officer, privacy@monsido.com. We will investigate and attempt to resolve any complaints or disputes regarding processing of personal data within forty-five (45) days of receiving a privacy complaint.
Monsido is further committed to refer unresolved privacy complaints under the EU/SWISS- US DPF Principles to an independent dispute resolution mechanism, Cybersecurity and Privacy Practice Group, operated by JAMS. If a User does not receive timely acknowledgment of a complaint, or if a complaint is not satisfactorily addressed, we invite a User to visit the JAMS Program for more information and to file a complaint. This service is provided free of charge to our Users.If an EU/SWISS-US DPF complaint cannot be resolved through the above channels, under certain conditions, our User may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. Through CivicPlus, we are subject to the jurisdiction of the US Federal Trade Commission for the purposes of EU/SWISS-US DPF enforcement.
If an EU/SWISS-US DPF complaint cannot be resolved through the above channels, under certain conditions, our User may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. Through CivicPlus, we are subject to the jurisdiction of the US Federal Trade Commission for the purposes of EU/SWISS-US DPF enforcement.
18. How Monsido Responds To U.S. Law Enforcement and U.S. Surveillance Agency Requests
Monsido understands privacy and data protection is a critical concern for its customers, and we have listened to our international customers and sought to ensure that, no matter our global reach, we design our products and operational landscape to reflect the principles of privacy by design and privacy by default, while also ensuring compliance with the various data protection regulations that govern our offices. We believe that our Users should control who has access to their Personal Data and oppose any request by law enforcement or surveillance agencies to obtain the data of our EEA and UK Users. Unless prohibited by law, we will always notify a User of any such request for the User’s Personal Data so as to allow the User the opportunity to object to the request. We publish annual Transparency Reports regarding such requests.
18. Right To Non-Discrimination
We will not discriminate against individuals who exercise their privacy rights under applicable law. However, the exercise of some rights may result in our inability to provide a User with access to the Website or Monsido Platform or to otherwise continue rendering Services.
19. Accessibility.
This Privacy Policy can be accessed using your browser’s audio reader capabilities. Please see our Accessibility Statement for more information.
20. Testimonials, Feedback, Case Studies.
We may display personal testimonials from satisfied Customers who have given us their permission to do so and other endorsements on our Site. If you are the authorized representative of a Customer, where a Customer has given us permission, we may post a User photograph, name, and title together with a testimonial. Where we do so, we base our processing on the representation from our Customers that they have your consent to do so and have given us this consent. If you wish us to update or delete your testimonial, please contact us at privacy@monsido.com.
We consider answers to surveys, comments, ideas, and suggestions to be non-personal and do not classify them as Personal Data. Except as otherwise provided by applicable contracts with our Customers or a third party, we are free to disclose and use such data or information without any obligation.
21. How to Contact Us
If you have any questions or concerns about our Privacy Policy or its implementation you may contact us: at privacy@monsido.com.
Or you may write to us at Monsido ApS, Attn: Data Protection Officer, Borupvang 3, Ballerup, DK-2750, Denmark.
Without prejudice to any other rights you may have, if you are located in the EEA/UK/Switzerland, you also have the right to file a complaint against Monsido with the Danish Data Protection Commissioner ("Datatilsynet"), which is Monsido’s Lead Supervisory Authority. The DPC’s contact details are:
Office of the Data Protection Commissioner
Datatilsynet
Borgerade 29, 5
DK-1300 Copenhagen K.
Fax: +45 33 19 32 18
Email: dt@datailsynet.dk
Digital post: www.borger.dk
If you live in the EEA/UK/Switzerland, you may also file a complaint with your local data protection regulator.
22. Key Changes
This Privacy Policy was last updated on July 20, 2023, to include more detailed information about from where we collect Personal Data, our bases of processing, our commitment to U.S. state laws regarding privacy policy, and our plan to participate in the EU/SWISS-DPF program and available redress resources, among other changes.
Click here to download a PDF version of this Privacy Policy.
22. U.S. CCPA & State Privacy Notice - Notice at Collection
We provide the following U.S. CCPA & State Privacy Notice – Notice at Collection for Users located in California and other states which may have privacy regulations. To the extent of a disagreement between the main terms of the forgoing Privacy Policy and this Notice at Collection, this Notice at Collection will control.
Monsido adheres to the requires of state privacy law, including the California Consumer Privacy Act of 2018 (“CCPA,”) which became effective on January 1, 2020, and its November 2020 amendment, effective January 1, 2023. In addition to the CCPA, we adhere to the requirements of other state privacy laws, including Virginia, Colorado, Connecticut, and Utah. We provide this U.S. CCPA & State Law Privacy Notice in compliance with those state laws. Please note that some states have not yet finalized their implementation rules; however, in an effort to be fully transparent and compliant, we make this privacy notice at this time and will update it as required when the rules are finalized.Monsido’s U.S. CCPA & State Privacy Notice is based on the principles of:
- Accountability so that you know Monsido holds itself accountable to its Customers and Users who entrust it with Personal Information
- Transparency so that you know what Personal Information we collect, use, disclose, share, and sell
- Control so that you can contract how your Personal Information is accessed, corrected, and deleted
Introduction
“Personal Information” is information that identifies, relates to, or could reasonably be linked directly or indirectly with a particular resident and includes certain categories of Personal Information set out in this Notice at Collection. Personal Information can also include “Sensitive Personal Information.”
Monsido takes data protection seriously and has implemented various physical, technical, electronic, procedural, and organizational safeguards and security measures to protect Personal Data against unlawful, accidental, and unauthorized destruction, loss, alteration, disclosure, or access. For more information about our security practices, please see our Information Security Overview.
The Personal Information We Collect; How We Collect Personal Information; Our Purpose of Collection; and With Whom We Share Personal Information
Individuals should know what Personal Information companies collect, use, process, and sell their Personal Data as well as the reason for such collection, use, and processing. We detail below the categories of Personal Information we collect, where we get that data, why we process it, and who we give the data to.
Please see our Privacy Policy for more information.
| Category of Personal Information | Sources of Personal Information | Purpose of Processing | Recipients |
|---|---|---|---|
|
A. User Identifiers: Name, Title, Company Email, Company Address, Company Phone Number, Affiliated Customer Organization, IP address |
Prospect leads; Customers; Interactions with affected Users Where a customer uses Monsido’s statistics module, website visitor IP addresses are anonymized before storage. |
Marketing: Communicate with our Customers and Users regarding company, product, and other marketing related news |
Service providers; Related corporate entities |
|
B. Customer Records: Name, Signature, Company Address, Company Phone Number |
Prospect leads; Customers; Interactions with affected Users |
Marketing: Communicate with our Customers and Users regarding company, product, and other marketing related news; |
Service providers; Related corporate entities |
|
C. Characteristics of Protected Classifications Under California or Federal Law: Gender identity if provided in a Users’ email signature |
Interactions with affected Users |
Monsido does not categorize or make use of this Personal Information. However, to the extent it is provided by a User through an interaction with Monsido, e.g., via an email to Monsido sales, marketing, or support services. |
Email provider; Related corporate entities |
|
D. Commercial Information: Purchase and use of the Monsido Platform |
Users’ interactions with the Monsido Platform; Customers and Users |
Account registration and administration: Provision of account-related functionalities of our Services |
Service providers; Related corporate entities |
|
E. Biometric Data: Monsido does not collect biometric data for identity verification |
N/A |
N/A |
N/A |
|
F. Internet or other Electric Network Activity Information: Information regarding Users’ use of the Monsido Platform and Website; Cookies and cookieless tracking technologies |
Users’ interactions with the Website and Monsido Platform |
Personalization: Provision and personalization of use of the Website and Monsido Platform |
Service providers; Related corporate entities |
|
G. Geolocation Data: IP address |
Users’ interactions with the Website and Monsido Platform |
Account Management: Administering User accounts as required under our contractual obligation for account management with our Customers |
Service providers; Related corporate entities |
|
H. Audio, electronic, visual, thermal, olfactory, or similar information: Audio and video |
Interactions with affected Users |
Marketing: Recording of webinars for general marketing purposes |
Service providers; Related corporate entities |
|
I. Professional or Employment-Related Information: Name, Title, Company Email, Company Address, Company Phone Number, Affiliated Customer Organization |
Prospect leads; Customers; Interactions with affected Users |
Marketing: Communicate with our Customers and Users regarding company, product, and other marketing related news |
Service providers; Related corporate entities |
|
J. Education Information: Not collected |
N/A |
N/A |
N/A |
|
K. Inferences: Not collected |
N/A |
N/A |
N/A |
| Category of Sensitive Personal Information | Sources of Sensitive Personal Information | Purpose of Processing | Recipients |
|---|---|---|---|
|
Account Log-In, Financial Account, Debit or Credit Card Number, and the Means to Access the Account (Security or Access Code, Password, Credentials, etc.): Account log-in information; Credentials |
Customers and Users |
Account registration and administration: Provision of account-related functionalities of our Services |
Service providers; Related corporate entities |
|
Precise Geo-Location Information: IP Address |
Users’ interactions with the Website and Monsido Platform |
Account Management: Administering User accounts as required under our contractual obligation for account management with our Customers |
Service providers; Related corporate entities |
|
Is any sensitive data processed? |
No, unless it has already been made public by a customer on its public-facing web pages. |
No, unless it has already been made public by a customer in a public-facing PDF. |
No. |
|
Racial or Ethnic Origin, Religious or Philosophical Beliefs, or Union Membership: Not collected |
N/A |
N/A |
N/A |
|
Medical or Mental Health, Sex Life, or Sexual Orientation: Not collected |
N/A |
N/A |
N/A |
| Biometric Data: Monsido does not collect biometric data for identity verification |
N/A |
N/A |
N/A |
|
Contents of your Mail, Email, or Text Messages (where Monsido is not the intended recipient of the communication): Not collected |
N/A |
N/A |
N/A |
|
Personal Data Collected from a Known Child Under 13 Years of Age: Not collected |
N/A |
N/A |
N/A |
- As necessary or appropriate to protect the rights, property or safety of us, our Customers, Users, or others;
- To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations; or
- To evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by us is among the assets transferred.
Sharing of Personal Information
Users have the right to know if their Personal Information is shared with third parties. We may share with or otherwise disclose your Personal Information for the business purposes outlined in this notice. When we disclose personal data to third parties, we do so under a contract with the third party that describes the purposes of the sharing of the data and the requirements for keeping Personal Information confidential and limited. Please see our Privacy Policy for more information.
In the preceding twelve (12) months, we have disclosed the following categories of data for a business purpose:
- Category A: User Identifiers
- Category B: Customer Records
- Category C: Characteristics of Protected Classifications Under California or Federal Law
- Category D: Commercial Information
- Category F: Internet or other Electric Network Activity Information
- Category G: Geolocation Data
- Category H: Audio, electronic, visual, thermal, olfactory, or similar information
- Category I: Professional or Employment-Related Information
Disclosures to our Service Providers. We may provide Personal Information to our services providers, as defined by the CCPA, so that they can perform services for us as specified in our contracts with such service providers and for the purposes outlined above.
Disclosures to our Corporate Entities. We may share your Personal Information with our related corporate entities.
Disclosures for Other Purposes. In addition, we may disclose personal information to third parties for other notified purposes, as permitted by U.S. state data privacy laws.
"Sharing" and Personalized Advertising. We do not share Personal Information with third parties for personalized advertising purposes, as defined under applicable U.S. state laws.
We Do Not Sell Your Personal Information
Users have the right to know if their Personal Information is being sold. Personal Information is sold when it is provided to a third party for monetary or other valuable consideration for a purposes that is not considered a business purpose as defined by the relevant state law. This does not include where Monsido may share personal data where permitted by law or at a User’s or Customer’s direction. Monsido does not sell Personal Information.
In the preceding twelve (12) months, we have not sold any Personal Information.
Right to Opt-out of “Sale” or “Sharing"
Monsido does not sell or share your personal information as that is defined by relevant state law. Therefore, we do not offer an opt out.
User Rights Under State Law
If you are a covered User under relevant state law, you have the following rights:
1. Receive this Notice at Collection at or before collection of Personal Information.
2. Request that we disclose to you the following information covering a twelve (12) – month period prior to your request. Such disclosure is free of charge to you:
- The categories of Personal Information we have collected about you;
- The categories of the sources from which the Personal Information was collected;
- The Categories of third parties to whom we disclosed your Personal Information; the categories of Personal Information that were disclosed; and the purpose for disclosing the Personal Information; and
- The Personal Information we collected about you.
4. Request that we delete Personal Information unless a state law exception to deletion applies (e.g. for our own tax reporting obligations)
5. Be free from unlawful discrimination where you may exercise your rights.
How to Exercise Your Rights Under State Law
Users can exercise their rights under state law by submitting a request to us by:
1. Completing an online Data Subject Access Request
2. Calling us at +1 858-281-2185
Monsido will acknowledge your request and advise you how long we expect it will take us to respond. We must be able to verify your identity. Please note that requests for specific pieces of Personal Information may require additional information for this verification. Individuals or Customers who submit a request on behalf of another person must provide us with proof of authorization and verification directly from the person to whom the request relates.
We may not be able to honor all requests, in some circumstances. For example, if we cannot verify a requestor’s identity or authorization. We also will not honor requests where an exception applies. Where we cannot honor a request, we will advise you.
We process all requests with 45 days for California residents. If we need additional time, up to 45 additional days, we will provide you with an explanation for the delay.
Questions or Concerns
You may contact us with questions or concerns about this Notice at Collection and our state law data collection practices by:
- Writing us at: Monsido, LLC, Attn: Data Protection Officer, 302 S. 4th Street, STE 500, Manhattan, Kansas, 66502
- Emailing us at privacy@monsido.com
Changes to this U.S. CCPA & State Privacy Notice - Notice at Collection
We may change or update this Notice at Collection from time to time by posting a notice to this page and by emailing registered Users at the email address we have on file.
Where to Find the Notice of Collection
You can find this Notice at Collection at https://monsido.com/ccpa-us-state-law-notice
