DataGrail Privacy Policy

1. Personal Data Collected by DataGrail on the Platform

• Email & Contact Information. Users may optionally provide their email address and/or other contact information (e.g., name, company name, job title) to DataGrail to contact us through the Platform with questions about our Platform and Services, or to request a Demo. Users may also optionally subscribe to our newsletters and may unsubscribe at any time through the opt-out link contained within those communications.
• Account Information. In subscribing to its Services, DataGrail requires its Customer to provide account-based information, including Customer name, address, phone number, email and payment processing information. This information is necessary to facilitate account services and subscription and related purchases through the Platform. Account information may also be used to (i) provide information regarding our Services; (ii) communicate material changes to our Terms of Service and Privacy Policy; and/or (iii) help us maintain and improve Services offered.
• Log-File Information. Log file information is automatically reported by your browser each time you access a web page. Server logs may include information such as your web request, Internet Protocol (“IP”) address, browser type, referring / exit pages and URLs, number of clicks, domain names, landing pages, pages viewed, and other such information. Log-File data will be used for debugging purposes and to improve
• Web Beacons. Pages of our Site, Platform and/or emails from DataGrail may contain web beacons. Also known as “tags”, “pixels” or “clear GIFs”, these are pieces of code or tiny electronic images, that are ordinarily not visible to website visitors and email recipients and may be associated with cookies on the visitors’ browser or device. Pixel tags allow us to count users who have visited certain pages of our website or have interacted with our Platform, to deliver branded Services, to provide online advertising, and to help determine the effectiveness of promotional or advertising campaigns.
• Cookies. DataGrail’s Site uses cookies to provide users with a better browsing experience — cookies are only collected with your express consent. In addition, by accepting DataGrail’s Privacy Policy upon purchase of the Services, you are consenting to DataGrail’s use of cookies in connection with the Services itself. DataGrail utilizes cookie technology to gather information on Internet use in order to serve you more effectively. Cookies are files with a small amount of data and are sent to your browser from a website and transferred to your device. You can set your browser to remove or reject cookies; however some Platform features or Services may not work properly without cookies.

How You Can Control Advertising Cookies. Cookies are also utilized to deliver advertising on our Site. Among other uses, they allow us to show more relevant advertising to people who visit the Site by showing you ads that are based on your browsing patterns and the way you have interacted with our Sites. We may use the following advertising partners. You can find information about how to opt out of targeted ads and related data collection here:

• Google Ads & Google Tag Manager. Google Ads utilizes search engine marketing to serve ads to target audiences. Google Tag Manager tracks Flash cookies, and social networking applications. Please see Google’s Data Privacy and Security Policy for more information on their data collection and processing. You can use Ads Settings to manage the Google ads you see and opt out of Ads Personalization. To manage privacy settings for Flash cookies, see Adobe Flash Player Help
• Facebook Advertising. Meta Platforms, Inc., providing services as Facebook, may use cookies, web beacons, and other storage technologies to collect or receive information and use that information to provide measurement services and target ads. DataGrail may use “Visitor action pixels” from Facebook on the Platform. This allows user behavior to be tracked after they have been redirected to the provider’s website by clicking on a Facebook ad. This enables us to measure the effectiveness of Facebook ads for statistical and market research purposes. The data collected in this way is anonymous to us, i.e. we do not see the Personal Data of individual users. Please see the Meta’s Privacy Policy  for additional information. Users can opt-out of the collection and use of information for ad targeting. To opt-out, go to Privacy Settings through your Facebook account and opt out under the Ad Preferences settings.
• LinkedIn Ads. LinkedIn Ads uses cookies to track the success of LinkedIn advertising. Personal Data is processed in accordance with the LinkedIn Privacy Policy. To opt out of LinkedIn Ads, see manage your LinkedIn Advertising preferences.
• X (formerly Twitter) Advertising. X Corp., utilizes cookies to provide interest based advertising. See X Privacy Policy for more information on its data collection and processing policies. Please See X Privacy Controls for more information on how to adjust your privacy settings.
• Microsoft Ads. In connection with Microsoft Ads and remarketing, DataGrail uses a Universal Event Tracking (UET) feature, which enables Microsoft to collect or receive Personal Data from you to provide Microsoft Advertising. Please see Microsoft Privacy Statements for more information.
• Reddit & Vector. We utilize Reddit and Vector to serve interest-based advertisements and measure audience engagement. Please see Reddit’s Privacy Policy for opt-out information.

Even if you opt out of cookies/ads personalization, you may still see ads based on factors such as your general location derived from your IP address, your browser type, and your search terms. You can also manage cookies for any online advertising service via the consumer choice tools created under self-regulation programs, such as the US-based aboutads.info choices page or the European Union (“EU”)-based Your Online Choices. See also the Network Advertising Consumer Opt-Out and/or the Digital Advertising Alliance Opt-Out.

2. Personal Data Received by DataGrail or Disclosed or Shared by DataGrail

Personal Data is collected to facilitate the Platform offered, for marketing of our Services, and for internal analysis relating to product improvements and data security. DataGrail shares Personal Data with only those contractors, service providers and other third parties who are bound by contractual obligations to keep Personal Data confidential and to limit such use only for the purpose for which it is disclosed. Personal Data collected is processed to facilitate the provision of the Services on the Platform or as otherwise disclosed at the time of collection to:

Provide Services. Personal Data is used to:

• Provide, operate and improve the Platform and Services;
• Process payments and complete transactions;
• Update you and provide marketing communications about new features and Services;
• Sales and marketing outreach;
• Employment application processing;
• Respond to inquiries and provide customer support and feedback;
• Detecting, preventing, and investigating security incidents that compromise the availability, authenticity, integrity or confidentiality of stored or transmitted Personal Data;
• Protecting against malicious, deceptive, fraudulent or illegal activity directed at DataGrail;
• Debugging to identify and repair errors that impair existing intended functionality.
• Analyze data to assess, understand and improve the Services and personalize user experiences, including creation of anonymized aggregated, statistical and benchmark data. Aggregated data is utilized to help develop and market products or Services and present targeted content and advertising
• Enable functionality of the Services to authenticate a user, prevent fraud, and implement security measures
• Undertaking activities to verify or maintain the quality of a service or product that is developed or provided, and to improve, upgrade, or enhance any service or product that is developed or provided by DataGrail.

Share with Service Providers. DataGrail has engaged with third party service providers to facilitate the DataGrail Services and operate our business, including without limitation, database management hosting, information technology, email delivery, customer support, sales and marketing outreach, consent management, analytics, data security and compliance services necessary to provide the Services. For each service provider, DataGrail will have in place written contracts that describes the purpose of the service and disclosure of Personal Data, and requires the service provider to both keep the Personal Data confidential and not use it for any purpose except performing the Services pursuant to such contract.

AI Enabled Service Providers. Our Services include AI-enabled features that allow customers to submit privacy, security, and compliance-related information in order to generate assessments, recommendations, templates, and related content. These features are customer-initiated and are designed to support privacy and security program management. To provide this functionality, we use AI services available through AWS to process customer-submitted information solely on our behalf and in accordance with our instructions. Customer data is used only to generate the requested outputs and to operate and improve the Services, subject to applicable contractual, confidentiality, and security safeguards. We do not permit AI service providers to use customer data to train their AI or machine learning models.

SMS Notifications – Notice & Consent. DataGrail utilizes a third party service provider, Twilio, to enable SMS notifications to its customers and its authorized users (as defined in the applicable Terms of Service or Services Agreement). You consent to receive recurring text messages relating to the Services to the mobile number associated with your account or otherwise provided to DataGrail. You understand and agree that text messages sent to your mobile number may be generated using automated technology, Message and data rates may apply. Reply STOP to opt-out or HELP for info. Consent is not a condition of any purchase. Mobile phone numbers are processed in accordance with Twilio’s Privacy Policy.

Analytics: DataGrail uses the following third party analytics services:

• Datadog. DataGrail utilizes Datadog, a SaaS based monitoring and analytics platform to obtain analytics, service application and infrastructure logs. Please see the Datadog EEA Data Processing Addendum and Datadog Privacy Policy for additional information.
• Google Analytics.DataGrail utilizes Google Analytics to access anonymized (nonpersonal) and/or pseudonymously identifiable personal data to help us understand how our Site and Services are used. Google Analytics is a web analytics tool that helps us understand how users engage with our Platform, so that we can review and improve our Services. Google Analytics provides a report to us with website trends without identifying the Personal Data of individual users. Please see Google’s Data Privacy and Security Policy. However, if you decide to withdraw your consent to such data collection, you may opt-out by installing Google Analytics Opt-out Browser Add-on.
• Matomo. DataGrail utilizes Matomo to understand how our Site and Services are used. It provides a report to DataGrail with website trends without identifying individual visitors. Site usage is tracked in accordance with the Matomo Privacy Policy.
• Vimeo. We utilize Vimeo to host video content. Vimeo collects viewing analytics and technical data (e.g., IP addresses) to monitor video performance. See the Vimeo Privacy Policy for details.

Sales & Marketing. Personal Data is collected for the following sales and marketing purposes:

• Sales Team Engagement (Gong). DataGrail utilizes the Gong digital communications solution to enable its sales team to capture and summarize customer communications to improve customer engagement. At DataGrail’s election, Gong.io may utilize biometric identification, including voiceprint identification, to match a user’s identity with information on file with DataGrail’s sales team. Each user’s consent is expressly obtained prior to collecting such information. Please see the Gong Privacy Policy for additional information.
• Prospective Leads Updates (ZoomInfo, G2, Clay, & Storylane). DataGrail utilizes ZoomInfo and G2 to supplement contact information with professional profile data (e.g., job title, company). We use Clay for data enrichment and Storylane to provide interactive product demonstrations. This data is used to identify and communicate with prospective leads.
• Sales Automation & Analytics (Outreach). DataGrail utilizes Outreach.io to automate its sales processes and generate actionable insights to help manage inbound and outbound sales processes. To the extent DataGrail utilizes Outreach’s call recording (audio/video) functionality, it will first obtain your consent to record calls prior to making such recording in accordance with applicable laws. Contact information shared with Outreach will be used solely for purposes of sales engagement functions made available through the Platform. Please see the Outreach Privacy Policy for additional information.
• Marketing Outreach & Automation (HubSpot, Unbounce, & Sendoso). DataGrail utilizes Sendoso to coordinate personalized marketing outreach efforts to current and prospective customers. Contact information such as name, email and addresses are shared for purposes of sending e-gifts, direct mail, and physical personalized gifts sent directly at DataGrail’s request. Please see the Sendoso Privacy Policy.

DataGrail’s use and transfer to any other app of information received from Google Accounts will adhere to Google API Services User Data Policy, including the Limited Use requirements. This is in compliance/adherence to the Google API Services User Data Policy, including the Limited Use requirements.

Compliance with Laws and Data Protection. Personal Data may be disclosed to serve our legitimate business interests including:

• As required by law, such as to comply with a subpoena, respond to a court order, subpoena or a government request (such as a search warrant, or similar legal process) for which we will use commercially reasonable efforts to notify you about law enforcement or court ordered requests for data, unless otherwise prohibited by law.
• If DataGrail is involved in a merger, acquisition, or sale of all or a portion of its assets to transfer or assign your Personal Data as part of such merger, acquisition, sale, or other change of control.
• To investigate, prevent, or take action regarding suspected or actual illegal activities or to assist government enforcement agencies.
• Enforcing our agreements and polices against you, including for billing purposes.
• Investigate and defend ourselves against any third-party claims or allegations.
• To third-party business partners at your direction, if you access or request contact from the third-party business partners through the Site or Services.

4. Retention and Deletion of Personal Data; De-Identified Data

Unless erasure is otherwise requested under applicable law or as otherwise stated in this Privacy Policy, DataGrail will retain account data as long as it is necessary to provide services to our customers. Personal Data obtained from Platform visitors will be maintained as long as it is necessary to provide requested communications and information-based services or until a visitor exercises the right to opt-out of requested communications or information-based services. Anonymized and pseudo-anonymized data will be retained as long as DataGrail determines such data is commercially necessary for its legitimate business interests.

To the extent DataGrail de-identifies any Personal Data, DataGrail shall maintain and use such de-identified data without attempting to re-identify the data.

8. Supplemental U.S. State-Specific Notices – Notice of Collection

This supplemental notice sets forth the disclosures and rights applicable to U.S. residents residing in U.S. states which have enacted consumer data privacy laws.

This supplemental notice sets forth the disclosures and rights applicable to U.S. residents residing in U.S. states which have enacted consumer data privacy laws.

A. Notice at Collection.  DataGrail collects, uses and/or discloses Personal Data, and in the preceding 12 months has collected, used and or disclosed, Personal Data as follows:

DataGrail does not retain a consumer’s Personal Data for longer than is reasonably necessary for each disclosed purpose.

Other Potential Disclosures: Personal Data may also be disclosed to serve our legitimate business interests as follows: (a) as required by law, such as to comply with a subpoena, or similar legal process, (b) as part of a merger, acquisition, bankruptcy or other transaction in which a third party assumes control of all or part of the business, (c) to investigate, prevent, or take action regarding suspected or actual illegal activities or to assist government enforcement agencies as required by law; (d) enforce our agreements with you, and/or (e) investigate and defend ourselves against any third-party claims or allegations.

B. Sale of Personal Data; Sharing of Personal Data; Right to Opt-Out

DataGrail does not and will not sell your Personal Data.

However, DataGrail shares Personal Data in connection with its  use of personalized advertising related tracking technologies.

You have the right to opt-out of “sale” or “sharing” of your Personal Data with third parties who are not our service providers (as those terms are defined by applicable laws) and/or to opt out of cross-context behavioral advertising and targeted advertising by clicking  “My Privacy Choices” link at the bottom of our Site to access available opt-out mechanisms.

You can also submit a request to opt-out through the DataGrail’s Opt-Out Form or by emailing us at [email protected] with the subject line “Do Not Sell or Share.”

Finally, if your browser supports it, you can turn on the Global Privacy Control to automatically opt-out of the sale or sharing of your Personal Data.

C. Collection of Sensitive Information

DataGrail collects Sensitive Personal Data specifically biometric voiceprints for sales analytics, only with your express consent.

D. Consumer Rights. Consumers may visit DataGrail’s Trust Center or contact DataGrail directly to exercise the following consumer rights:

1. Request DataGrail Disclose At No Charge (“Right to Know”):
   • Specific pieces of personal information it has collected about you;
   • categories of Personal Data collected, used, and/or disclosed about you;
   • categories of sources from which Personal Data is collected;
   • business and/or commercial purposes for collecting and disclosing your Personal Data;
   • categories of third parties with whom your Personal Data has been disclosed/shared; and

   Right to Know Requests can be submitted to DataGrail through the DataGrail’s Privacy Request Form or by email at [email protected].

2. Request DataGrail to Delete At No Charge (“Right to Delete”): Deletion Requests can be submitted to DataGrail through the DataGrail’s Privacy Request Form, or by email at [email protected].
3. Request DataGrail Correct At No Charge (“Right to Correct”): Requests that DataGrail correct any inaccurate Personal Data collected by DataGrail can be submitted by through the DataGrail’s Privacy Request Form, or by mail to [email protected]

E. Verified Request Process

DataGrail will verify all consumer requests prior to taking any action in response to such request. For consumers that maintain an account with DataGrail, it may verify the identity of the consumer making the request by either matching information with the account information on file or through existing account authentication credentials.

Under applicable state law, you may exercise these rights yourself or you may designate an authorized agent to make these requests on your behalf. Authorized agents must demonstrate they have written authorization from you to make requests on your behalf. DataGrail may additionally require the consumer to confirm their identity and verify the authorized agent’s permission before complying with any request.

F. Consumer Request Limitations

Please note that these rights are not absolute and in certain cases are subject to conditions or limitations as specified in the applicable state laws, including, but not limited to:

• DataGrail is obligated to disclose/delete only upon a verifiable Consumer request from the consumer or an authorized agent acting on behalf of Consumer.
• Consumers may only make a personal information request twice in a 12-month period.
• Deletion is not required if it is necessary for DataGrail to maintain the Personal Data to fulfill applicable permissible purposes enumerated pursuant to applicable state consumer privacy laws.

DataGrail will confirm and respond to all requests within the timeframe required under applicable state law. In responding to any request to disclose/delete, DataGrail shall maintain a record of the requests as required under applicable state law.

G. Non-Discrimination Policy

You have the right not to receive discriminatory treatment for exercising any rights conferred by the CCPA and VCDPA. DataGrail shall not discriminate against a consumer for exercising any statutory consumer privacy rights, including, but not limited to, (a) denying goods or services, (b) charging different prices or rates (including discounts/penalties) that is not directly related to the value provided to DataGrail for the Personal Data, (c) suggesting Consumer will receive a different rate/price or different level of quality of goods/services, or (d) providing a different level of quality of goods/ services.

Employees, applicants and independent contractors have the right not to be retaliated against for the exercise of their CCPA rights.

H. Right to Appeal

If you are in a jurisdiction that recognizes your ability to appeal a decision made in connection with your attempt to assert a right under applicable U.S. Privacy Laws, you may file an appeal of our decision refusing your request to exercise your rights under this privacy notice. You may request an appeal of such decision by contacting us at [email protected].  Please provide the state that you are writing from, accompanied with documentation you may have regarding the matter you are appealing. Company will respond to your appeal request within the timeframe required under the U.S. Privacy Laws applicable to your state of residence.

Please provide the state that you are writing from, accompanied with documentation you may have regarding the matter you are appealing. Savvy will respond to your appeal request within the timeframe required under the U.S. State Privacy Laws applicable to your state of residence.

If we deny your appeal, you have the right to file a complaint with your state’s consumer protection authority pursuant to the applicable consumer complaint process for the applicable state agencies, see the Right to Appeal for additional information.

I. Your California Privacy Rights under California Civil Code Section 1798.83 & Business and Professions Code Section 22581

California law permits Consumers to request and obtain from DataGrail once a year, free of charge, certain information about their Personally Identifiable Information (“PII”) (as defined by California law) disclosed to third parties for direct marketing purposes in the preceding calendar year (if any). If applicable, this information would include a list of the categories of PII that was shared and the names and addresses of all third parties with which we shared information in the immediately preceding calendar year.

In addition, a business subject to California Business and Professions Code Section 22581 must allow California residents under age 18 who are registered users of online Sites, services or applications to request and obtain removal of content or information they have publicly posted. Your request should include a detailed description of the specific content or information to be removed. Please be aware that your request does not guarantee complete or comprehensive removal of content or information posted online and that the law may not permit or require removal in certain circumstances.

J. Accessibility of this Policy.

• You can download and print a copy of this Notice here

K. Contact Us

If you have any questions regarding your Personal Data or about our privacy practices, please contact us at: DataGrail, Inc., Attention: Privacy Department, 225 Bush Street, Suite 360, San Francisco CA 94104 or by email at: [email protected].

9. Applicable EU GDPR Notices

While DataGrail is primarily based in the United States, the company maintains operations in Europe and may direct our Platform to individuals located in the European Economic Area (“EEA”), United Kingdom (“UK”) and Switzerland. The following disclosures apply to our processing of personal data in connection with our Platform operations with European individuals (“EU Users”).   We transfer Personal Data to the U.S. using European Commission-approved Standard Contractual Clauses or the EU-U.S. Data Privacy Framework

Data Processor. DataGrail is the processor of all Customer Data (as defined in the applicable Terms of Service), including Personal Data input by a Customer, and its Authorized Users, in connection with a Customer’s use of the DataGrail Services.

Data Controller. The Personal Data input by (a) visitors in general, and (b) Customer for purposes of establishing a commercial account with Customer, is controlled by DataGrail, Attention: Privacy Department, 225 Bush Street, Suite 360, San Francisco CA 94104. You may contact us at any time through the DataGrail’s Privacy Request Form or by emailing us at [email protected]

For applicable EU Users, we will only collect and process Personal Data about you where we have lawful bases. Lawful bases include consent (where you have given consent), contract (where processing is necessary for the performance of a contract with you, and “legitimate interests.” Where we rely on your consent to process personal data, you have the right to withdraw or decline your consent at any time and where we rely on legitimate interests, you have the right to object. If you have any questions about the lawful bases upon which we collect and use your personal data, please submit a request through the DataGrail’s Privacy Request Form or email DataGrail at [email protected].

You also have the right to lodge a complaint to your local data protection authority. If you are based in the European Union, information about how to contact your local data protection authority is available here. If you are based in the UK or Switzerland, your local data protection authorities are the UK Information Commissioner’s Office (https://ico.org.uk/global/contact-us/) and the Swiss Federal Data Protection and Information Commissioner (https://www.edoeb.admin.ch/edoeb/en/home/the-fdpic/contact/address.html).

In some cases our ability to uphold these rights for you may depend upon our obligations to process personal information for security, safety, fraud prevention reasons, compliance with regulatory or legal requirements, or because processing is necessary to deliver the services you have requested. Where this is the case, we will inform you of specific details in response to your request.

In accordance with applicable privacy law, you have the following rights in respect of your personal information that we hold:

1. Right of access. You have the right to obtain:
   1. confirmation of whether, and where, we are processing your personal information;
   2. information about the categories of personal information we are processing, the purposes for which we process your personal information and information as to how we determine applicable retention periods;
   3. information about the categories of recipients with whom we may share your personal information; and
   4. a copy of the personal information we hold about you.
2. Right of portability. You have the right, in certain circumstances, to receive a copy of the personal information you have provided to us in a structured, commonly used, machine-readable format that supports re-use, or to request the transfer of your personal data to another person.
3. Right to rectification. You have the right to obtain rectification of any inaccurate or incomplete personal information we hold about you without undue delay.
4. Right to erasure. You have the right, in some circumstances, to require us to erase your personal information without undue delay if the continued processing of that personal information is not justified.
5. Right to restriction. You have the right, in some circumstances, to require us to limit the purposes for which we process your personal information if the continued processing of the personal information in this way is not justified, such as where the accuracy of the personal information is contested by you.
6. Right to withdraw consent. There are certain circumstances where we require your consent to process your personal information. In these instances, and if you have provided consent, you have the right to withdraw your consent. If you withdraw your consent, this will not affect the lawfulness of our use of your personal information before your withdrawal. Requests under this Section can be made through DataGrail’s Privacy Request Form. We will respond in the timeframes required under applicable law. For all requests made pursuant to this section, DataGrail will (a) respond as required under applicable law, (b) provide a copy of any requested Personal Data in a structured, commonly used and machine-readable format, and/or (c) transmit such Personal Data to another service provider without restriction in accordance with applicable law.