Skip to main content

 

Granicus Insights

Granicus, LLC Subscriber Privacy Statement

Updated May 24, 2018

1. What is Communications Cloud?

Govdelivery Communications Cloud, powered by Granicus, connects more than 150 million people like you with accessible, relevant, and important government information. We strive to make the information you receive both convenient and valuable.

2. Overview

Granicus, LLC ("Granicus" or "We") is committed to maintaining your trust by protecting your personal data. This statement explains how we collect, use, share, and protect your personal data. Personal data is any information relating to an identified or identifiable person. Your name, address, phone number, email address, and IP address are examples of personal data. 

Unless otherwise specified, this statement applies to Granicus’s Communications solutions, including Govdelivery Communications Cloud and Targeted Messaging Service.

Granicus will process your personal data in a transparent and lawful way. Any personal data you provide when using this website or our products and services will be used only in accordance with this privacy statement. 

We may change this statement from time to time to reflect privacy or security updates. If we make material changes, we will notify you via the email address listed in your account. We encourage you to periodically review this page for the latest information on our privacy practices.

We have provided a table of contents along the left side of the page so you can easily jump to the specific sections set out below. Alternately, you can download a PDF version of the statement.

3. Contact Us

If you have any questions about this statement or if you would like to exercise any rights you may have in relation to your personal data, ­­­­­­­­­­please contact us at support@granicus.com. If you have additional questions or need to escalate an issue, use the below details to contact our Data Protection Officer (DPO):

Full name of legal entity: Granicus, LLC
Name or title of DPO: Gerry Hansen
Email address: dpo@granicus.com
Postal address: 408 St. Peter Street, Suite 600, St. Paul, MN 55102, USA
Telephone number: 01 651 925 5765

You have the right to make a complaint at any time to the relevant data protection supervisory authority in the EU member state in which you reside. We would, however, appreciate the chance to deal with your concerns before you approach your supervisory authority so please contact us in the first instance.

4. What Personal Data Does Granicus Collect, and for What Purpose?

We collect your email address and phone number to provide you with the information you have requested as part of your subscription services. We may also collect your responses to certain questions, which may contain personal data, as well as your geolocation, so we can provide you with more relevant topical information. This information is either gathered from you directly through our web forms or is gathered by our client and uploaded into our system.

We gather some information automatically, including internet protocol (IP) addresses, browser type, internet service provider (ISP), referring/exit pages, the files viewed on our site (e.g., HTML pages, graphics) or within emails we send you, operating system, date/time stamp, and/or clickstream data to analyze trends in the aggregate, administer our services, and for diagnostic and support purposes.

We do not collect sensitive personal data, e.g., personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of genetic data or biometric data in order to uniquely identify a person or data concerning health, sex life, or sexual orientation, unless you affirmatively disclose such information in a question response and consent to the collection and processing of such information via the consent checkbox during signup or on your subscriber preferences page. In this case, information will be collected only to provide you with targeted topical information.

Recipient Data

If you receive messages (via email or SMS) from a Granicus client through our Targeted Messaging Service, you should know the following: We collect recipients’ email addresses and phone numbers to deliver messages to you on behalf of our clients. When you open an email or click a link within that email, we also collect your IP address and user agent for internal auditing and support purposes.

Customer Support

When you contact our Customer Support team for assistance, we collect your email address to communicate with you about your concerns. We may also use your email address to determine which of our clients you have subscribed to. Your agent string (IP address, browser information, operating system, etc.) is also collected for internal auditing and support purposes.

5. Legal Basis for Collecting and Processing Data

We will use your personal data when the law allows us to. Most commonly, as a subscriber in the system, we will process your personal data in the following circumstances:

  • Where you consent.
  • Where it is necessary for our legitimate interests (i.e., we have a business or commercial reason for using your information) and your interests and your fundamental rights do not override those interests.

Our legitimate interests may include the following:

  • Fulfilling our legal and contractual duties.
  • Analyzing usage pattern to ensure we are providing best product for our end users.
  • Seeking your consent when we need it to contact you.
  • For suggesting/restricting content based on your interaction with our services.
  • Developing and improving the network security, efficiency, and technical specification of our IT systems and infrastructure.

6. Change of Legal Basis

We will use your personal data only for the uses and purposes set out above unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original uses and purposes. If we need to use your personal data for an unrelated purpose, we will notify you and explain the legal basis that allows us to do so.

7. Failure to Provide Personal Data

Where we need to collect personal data by law or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with services). In this case, we may have to cancel a product or service you have with us, but we will notify you if this is the case at the time. Furthermore, if you withdraw your consent, we will no longer be able to provide you with the Communications Cloud Services.

8. Profiling 

We will not use your personal data for decisions based solely on automated processing if the decision has legal effects concerning you, or if it significantly affects you, unless you gave your explicit consent for this processing.

9. Do We Share Your Personal Data with Third Parties? 

Except as described here or in any of our other applicable privacy policies, we will not sell, distribute, lease, or provide any of your personal data to any third parties unless we have your permission to do so or are required by law.

We share your personal data with the following categories of recipient:

  • Agents and subcontractors. We may disclose your personal data with our agents or subcontractors for the purposes identified above. In these cases, the agent or subcontractor will be obligated to use that personal data in accordance with the terms of this privacy statement.
  • Third parties as permitted or required by law. This may include disclosing your personal data to regulators or law enforcement authorities. We may transfer and disclose the data we collect about you to comply with a legal obligation, including responding to a court order, to prevent fraud, to comply with an inquiry by a government agency or other regulator, to address security or technical issues, to respond to an emergency, or as necessary for other legal purposes.
  • As part of a business transaction. In relation to an ongoing or proposed business transaction such as a transfer of the ownership or operation of Granicus, LLC or any companies in its group to another organization, if we merge with or are acquired by another organization, or if we liquidate our assets, your personal data may be transferred to a successor organization. If such a transfer occurs, the successor organization’s use of your data will still be subject to this statement and the privacy preferences you have expressed to us.

10. International Data Transfers

Granicus is owned and operated within the United States. Therefore, the data that we collect from you will be transferred to, and stored at, a destination outside the European Economic Area (EEA).

Privacy Shield Certification

Granicus participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework. Granicus is committed to subjecting all personal data received from European Union (EU) member countries, in reliance on the Privacy Shield Framework, to the Framework’s applicable Principles. To learn more about the Privacy Shield Framework, visit the U.S. Department of Commerce’s Privacy Shield List. 

Granicus is responsible for the processing of personal data it receives, under the Privacy Shield Framework, and subsequently transfers to a third party acting as an agent on its behalf. Granicus complies with the Privacy Shield Principles for all onward transfers of personal data from the EU, including the onward transfer liability provisions.

With respect to personal data received or transferred pursuant to the Privacy Shield Framework, Granicus is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, Granicus may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

In addition, Granicus has agreed to cooperate with the European Data Protection Authorities for the purpose of handling any unresolved complaints regarding personal data concerns. Data subjects may engage their local data protection and/or labor authority concerning adherence to the Privacy Shield Principles, and Granicus shall respond directly to such authorities with regard to investigations and resolution of complaints.

Under certain conditions, more fully described on the Privacy Shield website, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted.

As a global company, Granicus employs a multifaceted approach to protecting personal data. For example, when transferring personal data between corporate entities, Granicus relies on different legal transfer mechanisms (e.g., standard contractual clauses or Privacy Shield certification) depending on the type of personal data needed and countries involved. Please contact Granicus for any questions you might have or for additional information regarding the protections in place to protect your personal data.

11. Security 

We are committed to ensuring that your personal data is secure. To prevent unauthorized access or disclosure, we have put appropriate technical and organizational measures in place to safeguard and secure your personal data.

If a data breach does occur, we will do everything in our power to limit the damage. In case of a high-risk data breach, and depending on the circumstances, we will inform you about remedial actions to prevent any further damage. We will also inform the relevant supervisory authority or authorities of the breach.

Unfortunately, no security measures are completely secure. We therefore cannot guarantee that your personal data will not be disclosed, misused or lost by accident or by the unauthorized acts of others. Further, we cannot control dissemination of personal data you post in the public domain and you should have no expectation of privacy in respect of such data.

The procedures and related standards include limiting access to data and regularly testing and auditing our security practices and technologies.

Employees and temporary workers are required to follow policies and procedures and complete confidentiality training to understand the requirement of maintaining the confidentiality of customer information. If they fail to do so, they are subject to disciplinary action. All employees are required to complete privacy, security, ethics and compliance training. We also offer a wide variety of other training to all employees and temporary workers to help us achieve our goal of protecting your personal data.

12. Data Retention 

How long we retain your data depends on the type of data and the purpose for which we process your data. Your data will not be retained for a period longer than necessary for the purpose for which we have processed your data, plus any statutory period during which we need to retain the data to resolve any legal claims. Your data will be retained until you request the deletion of your subscriber profile plus any legal statutory period and we will fulfill your deletion request without undue delay and within the time periods required by law. Information retained during the legal statutory period will be minimized to only the data strictly necessary to resolve any legal claims that may arise.

However, it may not always be possible to completely remove or delete all your personal data from our data bases without some residual data because of backups and other reasons.

To determine the appropriate retention period for the information we collect from you, we consider the amount, nature, and sensitivity of the information, the potential risk of harm from unauthorized use or disclosure of the data, the purposes for which we process the data, whether we can achieve those purposes through other means, and the applicable legal requirements. 

13. Data Subject Rights 

To exercise any of the following rights, please contact support@granicus.com. If you need to escalate a matter or feel that your issue is unresolved, please contact our DPO.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

13.1 Right to Request Access 

You have the right to request details of your personal data that we hold. Upon request, we will provide a copy of such personal data within a reasonable timeframe.

13.2 Right to Rectification 

If you believe that any personal data we are holding on you is incorrect or incomplete, please contact us as soon as possible at the address above. We will promptly correct any personal data found to be incorrect, though we may need to verify the accuracy of the new data you provide to us.

13.3 Right to Object

You may choose to object to processing of your personal data where we are relying on a legitimate interest and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. In some cases, we may demonstrate that we have compelling legitimate grounds to process your data which override your rights and freedoms.

Please note that your objection may be overridden by the legitimate interests of Granicus to process and collect your personal data.

13.4 Right to Erasure 

To the extent legally permissible, you may be entitled to have certain personal data erased in the following circumstances:

  • The personal data is no longer necessary in relation to the purposes for which it was collected or processed.
  • You object to the collection or use of your personal data and there are no overriding legitimate grounds for the processing.
  • The personal data has been unlawfully processed.
  • The personal data has reached the defined retention period or for compliance with a legal obligation to which Granicus is subject.

Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.

13.5 Right to Restriction of Processing

You may have the right to restrict further processing of your personal data in the following situations:

  • You contest the accuracy of the personal data.
  • The processing of the data is unlawful.
  • The personal data has reached the defined retention period, but you require the personal data to establish, exercise, or defend legal claims.
  • You object to the processing of data pursuant to the right to object as described above. The processing may be restricted pending the verification of whether Granicus’s legitimate grounds override your rights as a data subject.

13.6 Right to Portability 

You have the right to receive your personal data in a structured, commonly used, and machine-readable format. Granicus will assist in the transmission of such data to another entity, upon request, to the extent technically feasible. Note that this right only applies to automated information which you initially provided consent for us to use, or where we need the information to perform a contract with you.

13.7 Right to Revoke Consent 

If you have consented to the processing of your personal data via the explicit checkbox during signup or while editing your preferences, you have the right to revoke such consent by deleting your profile. However, if you withdraw your consent, this will not affect the lawfulness of any processing carried out before you withdraw your consent.

13.8 Right to Make a Complaint

You have the right to make a complaint at any time to the relevant data protection supervisory authority in the EU member state in which you reside.